Suspected Zeus Panda Banking Trojan | VTI by Score
Try VMRay Analyzer
|
VTI Score
95 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 93 |
| VTI Rule Type | Default (PE, ...) |
|
Injection | Write into memory of another process |
|
|
"c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe" modifies memory of "c:\windows\syswow64\svchost.exe"
|
|||
|
|
Injection | Modify control flow of another process |
|
|
"c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe" creates thread in "c:\windows\syswow64\svchost.exe"
|
|||
|
|
Information Stealing | Read system data |
|
|
Readout Windows license key.
|
|||
|
Read the Windows installation date from registry.
|
|||
|
|
Anti Analysis | Try to detect application sandbox |
|
|
Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_unix_file_name".
|
|||
|
|
Anti Analysis | Try to detect firewall |
|
|
Check for firewall via WMI query: "select * from firewallproduct".
|
|||
|
|
Browser | Read data related to browser cookies |
|
|
Read Cookies for "Microsoft Internet Explorer".
|
|||
|
|
Process | Create system object |
|
|
Create mutex with name "8C5FF35F44C67C34381EFF128FE58575".
|
|||
|
Create mutex with name "BA375714EF21E8EC8F43FB71FA3700CC".
|
|||
|
Create mutex with name "Sandboxie_SingleInstanceMutex_Control".
|
|||
|
Create mutex with name "Frz_State".
|
|||
|
Create mutex with name "4F35AC27449784784508471CC1E930C7".
|
|||
|
Create mutex with name "DD53550AC9EB25CC6151CE1EB2A70FC3".
|
|||
|
Create mutex with name "EF45F0E754F1354293A017BE4F985965".
|
|||
|
Create mutex with name "8EB663269EDB2551D78D6BE980D8D1D5".
|
|||
|
Create mutex with name "3A05CFF4EB7DE2EF8F3985678370FA5D".
|
|||
|
Create mutex with name "99DCC4F63896BA52D9D5D3F7098E00E5".
|
|||
|
Create mutex with name "55A4DE17653FCFB535BFCEB7986C3B1D".
|
|||
|
Create mutex with name "843724E431E9542E94836F8E62819404".
|
|||
|
Create mutex with name "ACD86ED691154353041C7827C4241C0D".
|
|||
|
Create mutex with name "BA6E0713253533C2BD32E023F51DAAB1".
|
|||
|
Create mutex with name "E69AF5C9A1CE7CC06B48F35248935FCD".
|
|||
|
Create mutex with name "8592029A1BBD0F5EDCA2A860E613ACDB".
|
|||
|
Create mutex with name "5576A023ACFCB1DF07119694F5D31AAB".
|
|||
|
Create mutex with name "E60F35D6C376C5F82E917CA84B9C2F25".
|
|||
|
Create mutex with name "690CE47B932790ABBAE4486C8750D5B2".
|
|||
|
Create mutex with name "1F6114CF197C565BFF427879E00139DA".
|
|||
|
Create mutex with name "B7B640FD598619C28BD4F0051E0616B4".
|
|||
|
Create mutex with name "C144897552FBD8087BCACE2DF5968566".
|
|||
|
Create mutex with name "8E6BA92214C9B423A575DAF2D449D162".
|
|||
|
|
Process | Create process with hidden window |
|
|
The process ""C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe"" starts with hidden window.
|
|||
|
The process ""C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat"" starts with hidden window.
|
|||
|
The process "C:\Windows\SysWOW64\svchost.exe -k netsvcs" starts with hidden window.
|
|||
|
The process ""C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe" -update" starts with hidden window.
|
|||
|
The process ""C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat"" starts with hidden window.
|
|||
|
|
Anti Analysis | Dynamic API usage |
|
|
Resolve above average number of APIs.
|
|||
|
|
Process | Create a page with write and execute permissions |
|
|
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
|
|||
|
|
Hide Tracks | Write large data into the registry |
|
|
Hide 1776 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Uzapze".
|
|||
|
Hide 1680 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Axoha".
|
|||
|
Hide 95680 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen".
|
|||
|
Hide 215872 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen".
|
|||
|
Hide 310112 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen".
|
|||
|
Hide 531328 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen".
|
|||
|
Hide 807168 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen".
|
|||
|
Hide 818816 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen".
|
|||
|
Hide 837968 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen".
|
|||
|
|
Persistence | Install system startup script or application |
|
|
Add ""C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe"" to windows startup via registry.
|
|||
|
|
Anti Analysis | Delay execution |
|
|
One thread sleeps more than 5 minutes.
|
|||
|
|
OS | Use encryption API |
|
|
Use above average number of encryption APIs.
|
|||
|
|
Injection | Write into memory of a process running from a created or modified executable |
|
|
"c:\windows\syswow64\svchost.exe" modifies memory of "c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe"
|
|||
|
|
Injection | Modify control flow of a process running from a created or modified executable |
|
|
"c:\windows\syswow64\svchost.exe" creates thread in "c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe"
|
|||
|
|
Network | Download data |
|
|
URL "330f35e9f647.loan/31F9UVfEun/0I1aalj/7QGREH4HU/RK/5rEg".
|
|||
|
URL "330f35e9f647.loan/mtV/jshKPnn7S1/Vn/HMa/z/b-N/oK/Q".
|
|||
|
URL "330f35e9f647.loan/pW6teVTI/k-sq/J/2j7/cmhBJoSRZ8F/qDQ".
|
|||
|
URL "330f35e9f647.loan/8C1SLhHn/2_/8tA/E/H/Fbk/8JMoO2Tv/9/2Kg".
|
|||
|
URL "330f35e9f647.loan/xnecdWiG1/m9/J5MGn6/T/2YACd/yAYfNpLQ".
|
|||
|
URL "330f35e9f647.loan/SEP4vYw6/sPlMZ/3/v0URdi/NOLRdM5J/cg".
|
|||
|
URL "330f35e9f647.loan/NrY/r/c5FHX/_/0aFNoP8C8TO/VnC/g/".
|
|||
|
URL "330f35e9f647.loan/9piYZTuz9/2sx1Clf5U1sISMKMW81/q/MQ".
|
|||
|
URL "330f35e9f647.loan/l6yH/j4/plG2GbX2ldR8utbqF/HD/A".
|
|||
|
URL "330f35e9f647.loan/WJFCdFULD/tP/ZaEGn/rc/211/J/v/ijQ/fN4EQ".
|
|||
|
URL "330f35e9f647.loan/cIh/g/P/V0METF/RW/hZEvuN/Yd5W/J/w/".
|
|||
|
URL "330f35e9f647.loan/sTx52Lxwi/k/OhkZ/j_hXlZYAu/ad/N6VyPA".
|
|||
|
URL "330f35e9f647.loan/TkN2Lgy/t9dSY/UHKX3/Va/P4CpZe5q/Lw".
|
|||
|
URL "330f35e9f647.loan/3qeDwipy/0M/15F3rEV/lgCANe/hdf5/O/PQ".
|
|||
|
URL "330f35e9f647.loan/rSps/ke9sIH_-V/lJ/DI/sKWc/MRONw/".
|
|||
|
URL "330f35e9f647.loan/KbnKhnNec/qN/5/yGGXDaERSOtCLSf9QC/g".
|
|||
|
URL "330f35e9f647.loan/1R52/0u4pYTz_/ExM/AI/4f/XM8U/L/d/g".
|
|||
|
URL "330f35e9f647.loan/Ydqt/uth/tJ1TJV1Vo/FcOR/W_NPMA".
|
|||
|
URL "330f35e9f647.loan/OLKU5tAB/rPB/XBjjZZ2/N-Pfmw/N-N_Bg".
|
|||
|
URL "330f35e9f647.loan/BaoB/o/d1zEU_M/SWNz/EN/2nQPZRBg".
|
|||
|
URL "330f35e9f647.loan/De1Yth/p9kt/Cn/nFYkQAKMa/NRvIPHQ/".
|
|||
|
URL "330f35e9f647.loan/VTNb4H/t/ehSMTnlcHV_E4at/VMNw/Jg".
|
|||
|
URL "330f35e9f647.loan/YrhHB3/us5/0/G0-ef1/NZ/O/fDWW/-V/WDA/".
|
|||
|
URL "330f35e9f647.loan/ywhAhCZ/mst0E/m/Xuf/FhGG/fO/NQ/c1HMw".
|
|||
|
URL "330f35e9f647.loan/aV1M3/guotHj7McBB8QtOzM9oNJ/Q".
|
|||
|
URL "330f35e9f647.loan/gyRVM2W/hM/VOBU/C/fc/UZI/I-So/MMBZP/Q".
|
|||
|
URL "330f35e9f647.loan/6puLAJKud/1c/xpH0zn/bVRVR8KQTtZ0Dw".
|
|||
|
URL "330f35e9f647.loan/yl/mtBlP3TBX01/IHcuJe/_tHKA".
|
|||
|
URL "330f35e9f647.loan/PlKl8Vi16/s9BXP/zX7TxAHId6ubq9oLQ".
|
|||
|
URL "330f35e9f647.loan/4jfU08/19Z6B/j2VEkt/XJILd/Nv1YEQ".
|
|||
|
URL "330f35e9f647.loan/qE/kvltF/nzoV2/RANMO/gc9JP/AQ".
|
|||
|
URL "330f35e9f647.loan/DStLW/p-9oH1rpd/VV9/Jva2/dttpAA".
|
|||
|
URL "330f35e9f647.loan/3VIs/0OpV/I/D77b/1ICJ_uWMcF3N/w".
|
|||
|
URL "330f35e9f647.loan/Syy/sMVlAHTUdV/hI/I/sucUe/5HFw".
|
|||
|
URL "330f35e9f647.loan/eCf57FZh/hv9/6ZjrrfElUMtT/QNd/FkLA".
|
|||
|
URL "330f35e9f647.loan/5TGta2dCc5/1uhbJ2/y/f/QmJSRI/e/xRe/N/fdg".
|
|||
|
URL "330f35e9f647.loan/jypPt/ic/VsA3/n/HX1FhBdiccsdKLg".
|
|||
|
URL "330f35e9f647.loan/ddDmp7/h/9/hY/Pn/2aQkV1HML/S/Zv/N6KQ".
|
|||
|
URL "330f35e9f647.loan/zrx/mc5kKX_VXFNJC8/Cd/eO/VGPg".
|
|||
|
URL "google.com/".
|
|||
|
|
Network | Connect to HTTP server |
|
|
URL "330f35e9f647.loan/8C1SLhHn/2_/8tA/E/H/Fbk/8JMoO2Tv/9/2Kg".
|
|||
|
URL "330f35e9f647.loan/pW6teVTI/k-sq/J/2j7/cmhBJoSRZ8F/qDQ".
|
|||
|
URL "google.com/".
|
|||
|
URL "330f35e9f647.loan/xnecdWiG1/m9/J5MGn6/T/2YACd/yAYfNpLQ".
|
|||
|
URL "330f35e9f647.loan/SEP4vYw6/sPlMZ/3/v0URdi/NOLRdM5J/cg".
|
|||
|
URL "330f35e9f647.loan/NrY/r/c5FHX/_/0aFNoP8C8TO/VnC/g/".
|
|||
|
URL "330f35e9f647.loan/9piYZTuz9/2sx1Clf5U1sISMKMW81/q/MQ".
|
|||
|
URL "330f35e9f647.loan/l6yH/j4/plG2GbX2ldR8utbqF/HD/A".
|
|||
|
URL "330f35e9f647.loan/WJFCdFULD/tP/ZaEGn/rc/211/J/v/ijQ/fN4EQ".
|
|||
|
URL "330f35e9f647.loan/cIh/g/P/V0METF/RW/hZEvuN/Yd5W/J/w/".
|
|||
|
URL "330f35e9f647.loan/sTx52Lxwi/k/OhkZ/j_hXlZYAu/ad/N6VyPA".
|
|||
|
URL "330f35e9f647.loan/TkN2Lgy/t9dSY/UHKX3/Va/P4CpZe5q/Lw".
|
|||
|
URL "330f35e9f647.loan/3qeDwipy/0M/15F3rEV/lgCANe/hdf5/O/PQ".
|
|||
|
URL "330f35e9f647.loan/31F9UVfEun/0I1aalj/7QGREH4HU/RK/5rEg".
|
|||
|
URL "330f35e9f647.loan/mtV/jshKPnn7S1/Vn/HMa/z/b-N/oK/Q".
|
|||
|
URL "330f35e9f647.loan/KbnKhnNec/qN/5/yGGXDaERSOtCLSf9QC/g".
|
|||
|
URL "330f35e9f647.loan/rSps/ke9sIH_-V/lJ/DI/sKWc/MRONw/".
|
|||
|
URL "330f35e9f647.loan/1R52/0u4pYTz_/ExM/AI/4f/XM8U/L/d/g".
|
|||
|
URL "330f35e9f647.loan/Ydqt/uth/tJ1TJV1Vo/FcOR/W_NPMA".
|
|||
|
URL "330f35e9f647.loan/OLKU5tAB/rPB/XBjjZZ2/N-Pfmw/N-N_Bg".
|
|||
|
URL "330f35e9f647.loan/BaoB/o/d1zEU_M/SWNz/EN/2nQPZRBg".
|
|||
|
URL "330f35e9f647.loan/De1Yth/p9kt/Cn/nFYkQAKMa/NRvIPHQ/".
|
|||
|
URL "330f35e9f647.loan/VTNb4H/t/ehSMTnlcHV_E4at/VMNw/Jg".
|
|||
|
URL "330f35e9f647.loan/YrhHB3/us5/0/G0-ef1/NZ/O/fDWW/-V/WDA/".
|
|||
|
URL "330f35e9f647.loan/ywhAhCZ/mst0E/m/Xuf/FhGG/fO/NQ/c1HMw".
|
|||
|
URL "330f35e9f647.loan/aV1M3/guotHj7McBB8QtOzM9oNJ/Q".
|
|||
|
URL "330f35e9f647.loan/gyRVM2W/hM/VOBU/C/fc/UZI/I-So/MMBZP/Q".
|
|||
|
URL "330f35e9f647.loan/6puLAJKud/1c/xpH0zn/bVRVR8KQTtZ0Dw".
|
|||
|
URL "330f35e9f647.loan/yl/mtBlP3TBX01/IHcuJe/_tHKA".
|
|||
|
URL "330f35e9f647.loan/PlKl8Vi16/s9BXP/zX7TxAHId6ubq9oLQ".
|
|||
|
URL "330f35e9f647.loan/4jfU08/19Z6B/j2VEkt/XJILd/Nv1YEQ".
|
|||
|
URL "330f35e9f647.loan/qE/kvltF/nzoV2/RANMO/gc9JP/AQ".
|
|||
|
URL "330f35e9f647.loan/DStLW/p-9oH1rpd/VV9/Jva2/dttpAA".
|
|||
|
URL "330f35e9f647.loan/3VIs/0OpV/I/D77b/1ICJ_uWMcF3N/w".
|
|||
|
URL "330f35e9f647.loan/Syy/sMVlAHTUdV/hI/I/sucUe/5HFw".
|
|||
|
URL "330f35e9f647.loan/eCf57FZh/hv9/6ZjrrfElUMtT/QNd/FkLA".
|
|||
|
URL "330f35e9f647.loan/5TGta2dCc5/1uhbJ2/y/f/QmJSRI/e/xRe/N/fdg".
|
|||
|
URL "330f35e9f647.loan/jypPt/ic/VsA3/n/HX1FhBdiccsdKLg".
|
|||
|
URL "330f35e9f647.loan/ddDmp7/h/9/hY/Pn/2aQkV1HML/S/Zv/N6KQ".
|
|||
|
URL "330f35e9f647.loan/zrx/mc5kKX_VXFNJC8/Cd/eO/VGPg".
|
|||
|
|
PE | Drop PE file |
|
|
Drop file "c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe".
|
|||
|
|
PE | Execute dropped PE file |
|
|
Execute dropped file "c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe".
|
|||
