Zeus[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Zeus.exe
Size

619KB
MD5

6b38f8ea71476a05bda714df9d1449be
SHA1

a67dd423bd834d8f9697f4c17dfb03857db32a8e
SHA256

4fd87ae32a9981da6a72d6921b1eaca3206789ba5e1f731d5c146d965a74839a
SHA512

c5127ae962a1312c2863eaea6b31cd0d6557702b009ebae63e735a610eac086d0f0a195cf4ea0e514c00d02de264babe9108cdff50686234c83ea6a449bc445c
SSDEEP

12288:QJfk7pi4od0sMlb1qCfgoV/OpNWKqEckiRiMbw5hs/58h:Q0p1od0Rbq7oNOiwMN/58

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
sample	net_reactor

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Zeus.exe

Files

Zeus.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 591KB - Virtual size: 590KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ