sign in sign up
<<
Home , Zeus (malware)

ID: 349874 Sample Name: ZeuS.exe Cookbook: default.jbs Time: 12:06:15 Date: 08/02/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report ZeuS.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 AV Detection: 5 Compliance: 5 E-Banking Fraud: 5 Malware Analysis System Evasion: 5 Remote Access Functionality: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted IPs 8 General Information 8 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 General 9 File Icon 9 Static PE Info 10 General 10 Entrypoint Preview 10 Data Directories 11 Sections 11 Imports 11 Network Behavior 12 Code Manipulations 12 Statistics 12 System Behavior 13 Analysis Process: ZeuS.exe PID: 6624 Parent PID: 5644 13 General 13

Copyright null 2021 Page 2 of 13 Disassembly 13 Code Analysis 13

Copyright null 2021 Page 3 of 13 Analysis Report ZeuS.exe

Overview

General Information Detection Signatures Classification

Sample ZeuS.exe Name: AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb…

Analysis ID: 349874 DADenettteievccirtttueesdd /ZZ SeecuuassnVVnMe r ee d---BeBataennckktiiinongng TfTorrrroo sjjjaaunnb MD5: e77a6d08421977… MDeuutllltettiii c AAteVVd S SZcceaaunnsnnVeeMrrr d deee-ttBteeacctnttiiiokonin gfffoo Trrr rssouujbabmn … SHA1: 0787ba39c8dd45… Multi AV Scanner detection for subm CMCoounnltttita aAiiinnVss S VVcNNaCCn n /// e rrrree mdeoottetteec tddioeenss kkftottoorp ps fuffuubnnmcc… Miner Spreading SHA256: b37d9a1f83fd7ff9… FCFoouunnntaddi n eesvv aVassNiivvCee /AA rPePImI ccohhtaeai indn e ((mskaatoyy p ss tftouopnpc mmaallliiiccciiioouusss FFoouunndd eevvaassiiivvee AAPPIII cchhaaiiinn (((maayy sstttoopp… malicious

Most interesting Screenshot: Evader sssuusssppiiiccciiioouusss MFoaauccnhhdiiinn eev LLaeesaiavrrrenn iiinAngPg Idd ceehttteeaccintttiii oo(nmn faffooyrrr sstaaomppp… suspicious

cccllleeaann

clean AMAnnatttciiivvhiiirrirnuuess oLorerr aMranacicnhhgiiin ndeee LtLeeecaatrirronnniiinn fggo rdd eseattteemcc…p Exploiter Banker

CAConontnivtttaairiiiunnss offfuurn nMcctattiiioconhnaianllliieittty yL ttteooa ddrnyyninaagm diiicecataelllllclyy…

Spyware Trojan / Bot ZeusVM CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo edenynunumameerirrcaaatttelel y …

Score: 76 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo llelaanuuunnmcchhe raa tpperrr … Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo oloappueennnc haa app ooprrrrttt… Whitelisted: false CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rroreepaaeddn t tthahe ep PoPrEEt BB Confidence: 100% CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrreeaadd ttthhee cPcllliEii…B

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrreettatrrridiiee vtvheee ii inncfflfoio… Startup CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo srsehhtuurittteddvooeww inn f///o … CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh siiicchhhu tmdoaawyy nbb ee/ …

System is w10x64 DCDeoettnteetcacttitenedsd pfpuoontttecetnniotttiiinaaalll clcitrrryy ppwtttoho i fcffuuhnn mcctttiaiiooynn be ZeuS.exe (PID: 6624 cmdline: 'C:\Users\user\Desktop\ZeuS.exe' MD5: E77A6D08421977EE157A02F2E7590B99) EDExexttteenncstseiiivvdee p uuosstee n ootffif a Gl ecertttPyPprrrotoocc AfAuddnddcrrrteeiossnss (((oo… cleanup FEFoxoutuennndds eievvveaa ussisiivveee o AAf PPGIII e ccthPhaarioiinnc (A((mdadayrye sstttsoo p(po…

FFoouunndd eevvaassiiivvee AAPPIII cchhaaiiinn c(cmhheeaccykk siiinntoggp fff…

FFoouunndd llelaavrrrgagesei vaaem AooPuunIn ttct ohofaff ninoo cnnh---eexcxekecicnuugttte efdd…

Malware Configuration MFoaauyyn iiidnn iiitlttaiiiaarllgliiizzeee a aam ssoeeuccnuutrr rioiitttyfy n nnouunllllll- dedexeessccrurriiiptpetttodorrr

PMPrrraooygg rriranamitia ddliozoees sa n nsooettt c ssuhhroiotwyw n muulul ccdhhe asaccrtttiiivpvitii…or No configs have been found UPUsrsoeegssr a33m22bb diiittt o PPeEEs fnffiiilloleets sshow much activi

UUsseess M32iiicbcrrrioto sPsooEffft tt'f''ssil e EEsnnhhaanncceedd CCrrryypptttoogg…

UUsseess cMcooidcdereo osobobfffutu'ss ccEaantttiihiooannn tttceeeccdhh nnCiiiqrqyuupeetsos g(((…

Yara Overview Uses code obfuscation techniques (

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection • Cryptography • Compliance • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • Protection of GUI Copyright null 2021 Page 4 of 13 • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings • Remote Access Functionality

Click to jump to signature section

AV Detection:

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Compliance:

Uses 32bit PE files

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Native Create Valid Accounts 1 Valid Accounts 1 Input Network Remote Input Exfiltration Encrypted Eavesdrop on Remotely Accounts 1 API 1 3 Account 1 Capture 1 1 Share Desktop Capture 1 1 Over Other Channel 2 Insecure Track Device Discovery 1 Protocol 1 Network Network Without Medium Communication Authorization Default Scheduled Valid Access Token Access Token LSASS System Time Remote Archive Exfiltration Remote Access Exploit SS7 to Remotely Accounts Task/Job Accounts 1 Manipulation 1 1 Manipulation 1 1 Memory Discovery 2 Desktop Collected Over Software 1 Redirect Phone Wipe Data Protocol Data 1 Bluetooth Calls/SMS Without Authorization Domain At (Linux) Application Application Obfuscated Files Security Security SMB/Windows Clipboard Automated Ingress Tool Exploit SS7 to Obtain Accounts Shimming 1 Shimming 1 or Information 1 Account Software Admin Shares Data 1 Exfiltration Transfer 1 Track Device Device Manager Discovery 1 Location Cloud Backups Local At Logon Script Logon Script (Mac) Install Root NTDS Process Distributed Input Capture Scheduled Protocol SIM Card Accounts (Windows) (Mac) Certificate 1 Discovery 1 Component Transfer Impersonation Swap Object Model

Copyright null 2021 Page 5 of 13 Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Cloud Cron Network Network Logon Software LSA Secrets Account SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Packing 1 Discovery 1 Transfer Channels Device Size Limits Communication Replication Launchd Rc.common Rc.common Steganography Cached System VNC GUI Input Exfiltration Multiband Jamming or Through Domain Owner/User Capture Over C2 Communication Denial of Removable Credentials Discovery 1 Channel Service Media External Scheduled Startup Startup Items Compile After DCSync File and Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Delivery Directory Remote Capture Over Used Port Access Points Services Discovery 1 Management Alternative Protocol Drive-by Command Scheduled Scheduled Indicator Removal Proc System Shared Credential Exfiltration Application Downgrade to Compromise and Task/Job Task/Job from Tools Filesystem Information Webroot API Hooking Over Layer Protocol Insecure Scripting Discovery 3 Symmetric Protocols Interpreter Encrypted Non-C2 Protocol

Behavior Graph

Hide Legend Legend: Process Signature Created File DNS/IP Info Behavior Graph Is Dropped ID: 349874

Sample: ZeuS.exe Is Windows Process Startdate: 08/02/2021 Number of created Registry Values Architecture: WINDOWS Number of created Files Score: 76 Visual Basic

Delphi

Java Antivirus / Scanner Contains VNC / remote Multi AV Scanner detection Machine Learning detection detection for submitted desktop functionality started for submitted file for sample .Net C# or VB.NET sample (version string found) C, C++ or other language

Is malicious

Internet ZeuS.exe

Found evasive API chain Detected ZeusVM e-Banking (may stop execution Trojan after checking mutex)

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2021 Page 6 of 13 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link ZeuS.exe 96% Virustotal Browse ZeuS.exe 98% ReversingLabs Win32.Trojan.Zeus ZeuS.exe 100% Avira TR/Spy.A.5678 ZeuS.exe 100% Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source Detection Scanner Label Link Download 0.0.ZeuS.exe.400000.0.unpack 100% Avira TR/Spy.A.5678 Download File 0.2.ZeuS.exe.400000.0.unpack 100% Avira TR/Spy.Zbot.619281 Download File

Domains

No Antivirus matches

URLs

Copyright null 2021 Page 7 of 13 No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 349874 Start date: 08.02.2021 Start time: 12:06:15 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 29s Hypervisor based Inspection enabled: false Report type: light Sample file name: ZeuS.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal76.bank.troj.evad.winEXE@1/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 91.5%) Quality average: 81.5% Quality standard deviation: 30.5% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): svchost.exe

Simulations

Behavior and APIs

No simulations Copyright null 2021 Page 8 of 13 Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General File type: MS-DOS executable Entropy (8bit): 6.700204512671534 TrID: Win32 Executable (generic) a (10002005/4) 99.94% DOS Executable Borland Pascal 7.0x (2037/25) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% File name: ZeuS.exe File size: 141312 MD5: e77a6d08421977ee157a02f2e7590b99 SHA1: 0787ba39c8dd45cb189ce824abfd6fc9faa3d947 SHA256: b37d9a1f83fd7ff965d3187b451ad5669f56b9c39aa6e40c bd841ef0eac7b4d8 SHA512: 775dd98123b62a9a908bf7a40c9e0c5a39e2e7685ce462 109e82feb31f8ea24e162a9ee553a93e119e34701aabf90 bbe47bbf0f154fa8477a010af4851b48c90 SSDEEP: 3072:/caqyte6tV77snHLLxtUyaXOqdPNbnhW4IxZx5kC ZuubFrhU1wKKrONmo:/caBt777snHRXY7PNNW4IxZ7 zbC0rONx File Content Preview: MZ...... PE..L...... M...... :.....

File Icon

Copyright null 2021 Page 9 of 13 Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x41d470 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, NX_COMPAT Time Stamp: 0x4DA70DA0 [Thu Apr 14 15:07:12 2011 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: 1c2489367a741a394ef5f46c06397c1b

Entrypoint Preview

Instruction push ebp mov ebp, esp sub esp, 10h push ebx xor ecx, ecx xor bl, bl call 00007FDE64725E30h test al, al je 00007FDE64726E4Ah push 00008007h mov byte ptr [ebp-10h], bl mov byte ptr [ebp-0Ch], 00000001h mov byte ptr [ebp-01h], bl call dword ptr [004011A0h] lea eax, dword ptr [ebp-08h] push eax call dword ptr [0040119Ch] push eax call dword ptr [004012CCh] test eax, eax je 00007FDE64726DF7h xor edx, edx cmp dword ptr [ebp-08h], edx jle 00007FDE64726DB1h mov ecx, dword ptr [eax+edx*4] test ecx, ecx je 00007FDE64726DA4h cmp word ptr [ecx], 002Dh jne 00007FDE64726D9Eh movzx ecx, word ptr [ecx+02h] cmp ecx, 66h je 00007FDE64726D91h cmp ecx, 69h je 00007FDE64726D88h cmp ecx, 6Eh je 00007FDE64726D7Dh cmp ecx, 76h Copyright null 2021 Page 10 of 13 Instruction jne 00007FDE64726D86h mov byte ptr [ebp-01h], 00000001h jmp 00007FDE64726D80h mov byte ptr [ebp-0Ch], 00000000h jmp 00007FDE64726D7Ah mov bl, 01h jmp 00007FDE64726D76h mov byte ptr [ebp-10h], 00000001h inc edx cmp edx, dword ptr [ebp-08h] jl 00007FDE64726D33h push eax call dword ptr [00401114h] test bl, bl je 00007FDE64726D79h call 00007FDE647267E4h jmp 00007FDE64726DA6h cmp byte ptr [ebp-01h], 00000000h je 00007FDE64726D95h call 00007FDE64716FA8h call 00007FDE64721219h test byte ptr [004239B0h], 00000004h mov bl, al je 00007FDE64726D8Dh push 00000000h mov eax, 00423238h call 00007FDE64716E05h jmp 00007FDE64726D7Fh

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x1f6a4 0x118 .text IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0 0x0 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x25000 0x11a4 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x1000 0x5a0 .text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x20584 0x20600 False 0.642932553089 data 6.72226048935 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x22000 0x2054 0x400 False 0.2138671875 data 1.63599053271 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .reloc 0x25000 0x166a 0x1800 False 0.625813802083 data 5.63870259283 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL Import

Copyright null 2021 Page 11 of 13 DLL Import KERNEL32.dll VirtualAllocEx, FindClose, LoadLibraryA, RemoveDirectoryW, WaitForMultipleObjects, lstrcmpiW, FindNextFileW, VirtualProtect, GetFileTime, ReleaseMutex, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, LocalFree, GetSystemTime, WriteProcessMemory, SetFileAttributesW, CreateThread, ExpandEnvironmentStringsW, GetCurrentThreadId, ExitProcess, SetEvent, lstrcmpiA, WTSGetActiveConsoleSessionId, CreateEventW, MapViewOfFile, WriteFile, SetThreadPriority, VirtualProtectEx, TlsAlloc, TlsFree, GetFileAttributesExW, GetPrivateProfileStringW, GetPrivateProfileIntW, GetLocalTime, ResetEvent, TlsGetValue, TlsSetValue, TerminateProcess, MoveFileExW, GetModuleFileNameW, GetUserDefaultUILanguage, GetThreadContext, SetThreadContext, GetProcessId, GetNativeSystemInfo, GetVersionExW, GetCommandLineW, SetErrorMode, GetComputerNameW, OpenEventW, DuplicateHandle, GetCurrentProcessId, VirtualQueryEx, SetFileTime, VirtualAlloc, GetProcAddress, SetLastError, GetLastError, OpenMutexW, GetFileSizeEx, GetTempPathW, FlushFileBuffers, MultiByteToWideChar, IsBadReadPtr, GetProcessHeap, CreateFileW, GetTimeZoneInformation, ReadFile, Thread32Next, GetFileAttributesW, HeapCreate, HeapDestroy, ReadProcessMemory, Sleep, LoadLibraryW, WideCharToMultiByte, CreateFileMappingW, Thread32First, VirtualFree, GetCurrentThread, GetModuleHandleW, CreateDirectoryW, HeapFree, SetFilePointerEx, SystemTimeToFileTime, HeapAlloc, CreateProcessW, FreeLibrary, SetEndOfFile, FindFirstFileW, CreateMutexW, HeapReAlloc, GetTempFileNameW, FileTimeToDosDateTime, GetEnvironmentVariableW, CloseHandle, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualFreeEx, OpenProcess, CreateRemoteThread, WaitForSingleObject, EnterCriticalSection, GlobalUnlock, LeaveCriticalSection, InitializeCriticalSection, GetTickCount, UnmapViewOfFile, GlobalLock USER32.dll OpenInputDesktop, MenuItemFromPoint, GetMenu, RegisterClassExW, GetMenuItemRect, TrackPopupMenuEx, SystemParametersInfoW, GetClassNameW, GetMenuState, DefWindowProcA, DefMDIChildProcW, SwitchDesktop, GetMenuItemCount, DefDlgProcA, PostThreadMessageW, DefMDIChildProcA, HiliteMenuItem, DefFrameProcA, SendMessageW, CallWindowProcA, EndMenu, CallWindowProcW, DefWindowProcW, DefFrameProcW, GetWindowThreadProcessId, GetMessageW, GetShellWindow, CharLowerW, CreateDesktopW, SetProcessWindowStation, GetThreadDesktop, GetSystemMetrics, MapVirtualKeyW, GetUpdateRgn, CharLowerBuffA, ExitWindowsEx, FillRect, DrawEdge, IntersectRect, EqualRect, PrintWindow, GetWindowRect, PostMessageW, GetParent, GetWindowInfo, GetClassLongW, GetAncestor, SetWindowPos, IsWindow, MapWindowPoints, IsRectEmpty, DrawIcon, GetIconInfo, EndPaint, GetWindowDC, SetCapture, GetSubMenu, BeginPaint, GetMessageA, RegisterClassW, GetUpdateRect, DefDlgProcW, SetCursorPos, GetDCEx, ToUnicode, GetClipboardData, PeekMessageA, GetCursorPos, ReleaseCapture, GetMessagePos, CloseWindowStation, CreateWindowStationW, GetProcessWindowStation, OpenDesktopW, CloseDesktop, SetThreadDesktop, GetUserObjectInformationW, OpenWindowStationW, GetTopWindow, LoadImageW, MsgWaitForMultipleObjects, WindowFromPoint, CharToOemW, GetDC, GetWindowLongW, CharLowerA, RegisterClassExA, RegisterWindowMessageW, GetMenuItemID, SetKeyboardState, RegisterClassA, GetKeyboardState, TranslateMessage, DispatchMessageW, GetWindow, SendMessageTimeoutW, SetWindowLongW, CharUpperW, ReleaseDC, PeekMessageW, GetCapture ADVAPI32.dll GetLengthSid, CryptGetHashParam, OpenProcessToken, GetSidSubAuthority, CryptAcquireContextW, OpenThreadToken, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, CryptReleaseContext, RegQueryValueExW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, LookupPrivilegeValueW, CryptCreateHash, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegOpenKeyExW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, RegCloseKey, RegSetValueExW, CryptHashData, EqualSid, RegEnumKeyExW, InitiateSystemShutdownExW, ConvertSidToStringSidW, IsWellKnownSid SHLWAPI.dll wvnsprintfW, PathQuoteSpacesW, PathIsURLW, PathRenameExtensionW, StrStrIW, StrStrIA, StrCmpNIW, wvnsprintfA, StrCmpNIA, PathMatchSpecW, PathRemoveBackslashW, PathUnquoteSpacesW, PathAddExtensionW, PathCombineW, SHDeleteKeyW, PathSkipRootW, SHDeleteValueW, PathAddBackslashW, PathRemoveFileSpecW, PathFindFileNameW, PathIsDirectoryW, UrlUnescapeA SHELL32.dll ShellExecuteW, SHGetFolderPathW, CommandLineToArgvW Secur32.dll GetUserNameExW ole32.dll StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx GDI32.dll RestoreDC, SaveDC, DeleteDC, GdiFlush, SetViewportOrgEx, SelectObject, CreateCompatibleDC, CreateDIBSection, GetDeviceCaps, GetDIBits, DeleteObject, SetRectRgn, CreateCompatibleBitmap WS2_32.dll WSASetLastError, freeaddrinfo, socket, bind, recv, setsockopt, shutdown, getsockname, getpeername, recvfrom, sendto, WSASend, WSAEventSelect, WSAIoctl, connect, WSAAddressToStringW, WSAStartup, getaddrinfo, select, closesocket, send, listen, accept, WSAGetLastError CRYPT32.dll PFXExportCertStoreEx, CertDuplicateCertificateContext, CertEnumCertificatesInStore, PFXImportCertStore, CertCloseStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, CryptUnprotectData WININET.dll HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, HttpAddRequestHeadersA, HttpSendRequestW, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpSendRequestExA, InternetQueryOptionA, InternetCloseHandle, InternetOpenA, HttpSendRequestA, HttpOpenRequestA, InternetSetOptionA, InternetReadFile, InternetCrackUrlA, InternetQueryOptionW, InternetConnectA, HttpQueryInfoA OLEAUT32.dll VariantInit, SysAllocString, VariantClear, SysFreeString NETAPI32.dll NetApiBufferFree, NetUserEnum, NetUserGetInfo

Network Behavior

No network behavior found

Code Manipulations

Statistics

Copyright null 2021 Page 12 of 13 System Behavior

Analysis Process: ZeuS.exe PID: 6624 Parent PID: 5644

General

Start time: 12:07:06 Start date: 08/02/2021 Path: C:\Users\user\Desktop\ZeuS.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\ZeuS.exe' Imagebase: 0x400000 File size: 141312 bytes MD5 hash: E77A6D08421977EE157A02F2E7590B99 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Disassembly

Code Analysis

Copyright null 2021 Page 13 of 13