Malware Analysis Report

2024-11-30 19:34

Sample ID 240921-cf43yszekh
Target Zeus V3.exe
SHA256 8e96c53eea3cbb5be49dcafc17f3d9e20dba6ca88772c9ee24f3f3a02c7ca251
Tags
vmprotect agilenet discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8e96c53eea3cbb5be49dcafc17f3d9e20dba6ca88772c9ee24f3f3a02c7ca251

Threat Level: Shows suspicious behavior

The file Zeus V3.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect agilenet discovery

.NET Reactor proctector

VMProtect packed file

Obfuscated with Agile.Net obfuscator

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 02:02

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 02:02

Reported

2024-09-21 02:02

Platform

win10v2004-20240802-en

Max time kernel

22s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Zeus V3.exe"

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Zeus V3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Zeus V3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Zeus V3.exe

"C:\Users\Admin\AppData\Local\Temp\Zeus V3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 budxk2uggn72ultkzpcd-mysql.services.clever-cloud.com udp
FR 91.208.207.227:21449 budxk2uggn72ultkzpcd-mysql.services.clever-cloud.com tcp
US 8.8.8.8:53 227.207.208.91.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/2316-0-0x00000000750DE000-0x00000000750DF000-memory.dmp

memory/2316-1-0x0000000000BE0000-0x00000000063BE000-memory.dmp

memory/2316-2-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-3-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-4-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-5-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-6-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-7-0x000000000B450000-0x000000000C9CC000-memory.dmp

memory/2316-8-0x00000000117B0000-0x0000000011D54000-memory.dmp

memory/2316-9-0x000000000CB90000-0x000000000CC22000-memory.dmp

memory/2316-10-0x000000000CB50000-0x000000000CB5A000-memory.dmp

memory/2316-11-0x0000000018D60000-0x000000001A6EE000-memory.dmp

memory/2316-13-0x000000000CC30000-0x000000000CC50000-memory.dmp

memory/2316-12-0x000000000CB60000-0x000000000CB80000-memory.dmp

memory/2316-15-0x000000000CC80000-0x000000000CC94000-memory.dmp

memory/2316-16-0x000000000CCA0000-0x000000000CCBE000-memory.dmp

memory/2316-14-0x000000000CC70000-0x000000000CC7E000-memory.dmp

memory/2316-17-0x000000000EF50000-0x000000000F09E000-memory.dmp

memory/2316-18-0x00000000750DE000-0x00000000750DF000-memory.dmp

memory/2316-19-0x000000000F0E0000-0x000000000F0E6000-memory.dmp

memory/2316-20-0x000000001F2C0000-0x000000001F362000-memory.dmp

memory/2316-21-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-22-0x000000001F360000-0x000000001F6B4000-memory.dmp

memory/2316-23-0x000000001F700000-0x000000001F74C000-memory.dmp

memory/2316-24-0x000000001D050000-0x000000001D05A000-memory.dmp

memory/2316-25-0x000000001D010000-0x000000001D036000-memory.dmp

memory/2316-26-0x000000001D4B0000-0x000000001D4DC000-memory.dmp

memory/2316-27-0x000000001D040000-0x000000001D048000-memory.dmp

memory/2316-28-0x000000001F9F0000-0x000000001FA2C000-memory.dmp

memory/2316-29-0x000000001F9C0000-0x000000001F9E1000-memory.dmp

memory/2316-30-0x000000001FA80000-0x000000001FA8A000-memory.dmp

memory/2316-33-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-34-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-35-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-36-0x000000000CE80000-0x000000000CEE6000-memory.dmp

memory/2316-37-0x000000000CEF0000-0x000000000CF12000-memory.dmp

memory/2316-38-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-39-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2316-41-0x00000000750D0000-0x0000000075880000-memory.dmp