Search in progress...
Play interactive tour
Edit tourAnalysis Report zbetcheckin_tracker_propan.exe
Overview
General Information |
|---|
| Joe Sandbox Version: | 23.0.0 |
| Analysis ID: | 48850 |
| Start date: | 03.10.2018 |
| Start time: | 11:14:04 |
| Joe Sandbox Product: | Cloud |
| Overall analysis duration: | 0h 3m 39s |
| Hypervisor based Inspection enabled: | true |
| Report type: | full |
| Sample file name: | zbetcheckin_tracker_propan.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 7 x64 HVM (Office 2010, IE11, FF 50.1, Chrome 54.0, Java 1.8.0_111, Adobe Reader DC 2015.02) |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies |
|
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal80.bank.evad.winEXE@4/6@1/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Detection |
|---|
| Strategy | Score | Range | Reporting | Detection | |
|---|---|---|---|---|---|
| Threshold | 80 | 0 - 100 | Report FP / FN |  | |
Confidence |
|---|
| Strategy | Score | Range | Further Analysis Required? | Confidence | |
|---|---|---|---|---|---|
| Threshold | 5 | 0 - 5 | false |   | |
Classification |
|---|
Signature Overview |
|---|
Click to jump to signature section
AV Detection: |   |
|---|
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | virustotal: | Perma Link | ||
| Antivirus detection for unpacked file | Show sources | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
Networking: | |
|---|
| Creates a COM Internet Explorer object | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | COM instance created: | Jump to behavior | ||
| Downloads files | Show sources | ||
| Source: | File created: | Jump to behavior | ||
| Downloads files from webservers via HTTP | Show sources | ||
| Source: | HTTP traffic detected: | ||
| Performs DNS lookups | Show sources | ||
| Source: | DNS traffic detected: | ||
E-Banking Fraud: | |
|---|
| Detected Ursnif banking trojan | Show sources | ||
| Source: | Code function: | 1_2_00401C7A | |
System Summary: | |
|---|
| Contains functionality to create processes via WMI | Show sources | ||
| Source: | Code function: | 1_2_002D42BD | |
| Source: | Code function: | 1_2_002D42BD | |
| Source: | Code function: | 1_2_002D42BD | |
| Source: | Binary or memory string: | ||
| Starts Internet Explorer in hidden mode | Show sources | ||
| Source: | Window hidden: | Jump to behavior | ||
| Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc) | Show sources | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Contains functionality to call native functions | Show sources | ||
| Source: | Code function: | 1_2_004022EC | |
| Source: | Code function: | 1_2_004018F0 | |
| Source: | Code function: | 1_2_004012F6 | |
| Source: | Code function: | 1_2_004027FD | |
| Source: | Code function: | 1_2_0040192F | |
| Source: | Code function: | 1_2_0040143E | |
| Source: | Code function: | 1_2_00402749 | |
| Source: | Code function: | 1_2_0040276A | |
| Source: | Code function: | 1_2_0040318D | |
| Source: | Code function: | 1_2_00402F20 | |
| Source: | Code function: | 1_2_004027AD | |
| Source: | Code function: | 1_2_002D4615 | |
| Source: | Code function: | 1_2_002DE040 | |
| Source: | Code function: | 1_2_002DE297 | |
| Source: | Code function: | 1_2_002DE2D6 | |
| Source: | Code function: | 1_1_00401800 | |
| Detected potential crypto function | Show sources | ||
| Source: | Code function: | 1_2_00402F6C | |
| Source: | Code function: | 1_2_002D92AC | |
| Source: | Code function: | 1_2_002D2BC6 | |
| Source: | Code function: | 1_2_00414449 | |
| Source: | Code function: | 1_2_004160BE | |
| Source: | Code function: | 1_2_00413F07 | |
| Source: | Code function: | 1_2_0040E71E | |
| Source: | Code function: | 1_2_0041498B | |
| Source: | Code function: | 1_1_00414449 | |
| Source: | Code function: | 1_1_00404A60 | |
| Source: | Code function: | 1_1_0040D4F0 | |
| Source: | Code function: | 1_1_004160BE | |
| Source: | Code function: | 1_1_00413F07 | |
| Source: | Code function: | 1_1_0040E71E | |
| Source: | Code function: | 1_1_0041498B | |
| Source: | Code function: | 1_1_004151B9 | |
| Found potential URLs in runtime VBA strings | Show sources | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| Source: | VBA Memory String: | Jump to behavior | ||
| PE file contains strange resources | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Classification label | Show sources | ||
| Source: | Classification label: | ||
| Contains functionality to instantiate COM classes | Show sources | ||
| Source: | Code function: | 1_2_002D5457 | |
| Creates files inside the user directory | Show sources | ||
| Source: | File created: | Jump to behavior | ||
| Creates temporary files | Show sources | ||
| Source: | File created: | Jump to behavior | ||
| PE file has an executable .text section and no other executable section | Show sources | ||
| Source: | Static PE information: | ||
| Reads ini files | Show sources | ||
| Source: | File read: | Jump to behavior | ||
| Reads software policies | Show sources | ||
| Source: | Key opened: | Jump to behavior | ||
| Sample is known by Antivirus | Show sources | ||
| Source: | virustotal: | ||
| Spawns processes | Show sources | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Uses an in-process (OLE) Automation server | Show sources | ||
| Source: | Key value queried: | Jump to behavior | ||
Data Obfuscation: | |
|---|
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: | Code function: | 1_1_00412282 | |
| Uses code obfuscation techniques (call, push, ret) | Show sources | ||
| Source: | Code function: | 1_2_00402F6B | |
| Source: | Code function: | 1_2_00407222 | |
| Source: | Code function: | 1_2_002D92AB | |
| Source: | Code function: | 1_1_0040D4E4 | |
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Writes registry values via WMI | Show sources | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Disables application error messsages (SetErrorMode) | Show sources | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Found evasive API chain (may stop execution after checking locale) | Show sources | ||
| Source: | Evasive API call chain: | graph_1-7457 | ||
| Tries to detect sandboxes / dynamic malware analysis system (cursor check) | Show sources | ||
| Source: | Code function: | 1_2_004010ED | |
| May sleep (evasive loops) to hinder dynamic analysis | Show sources | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Sample execution stops while process was sleeping (likely an evasion) | Show sources | ||
| Source: | Last function: | ||
| Program exit points | Show sources | ||
| Source: | API call chain: | graph_1-7347 | ||
Anti Debugging: | |
|---|
| Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources | ||
| Source: | System information queried: | Jump to behavior | ||
| Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) | Show sources | ||
| Source: | Code function: | 1_2_004012F6 | |
| Contains functionality to check if a debugger is running (IsDebuggerPresent) | Show sources | ||
| Source: | Code function: | 1_2_0040FE9A | |
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: | Code function: | 1_1_00412282 | |
| Contains functionality to read the PEB | Show sources | ||
| Source: | Code function: | 1_2_0025052B | |
| Source: | Code function: | 1_2_00250000 | |
| Source: | Code function: | 1_2_00250000 | |
| Source: | Code function: | 1_2_002506F5 | |
| Source: | Code function: | 1_2_002506F5 | |
| Source: | Code function: | 1_2_00250AFD | |
| Source: | Code function: | 1_2_00290000 | |
| Source: | Code function: | 1_2_00290000 | |
| Source: | Code function: | 1_2_00290408 | |
| Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources | ||
| Source: | Code function: | 1_1_0040C832 | |
| Contains functionality to register its own exception handler | Show sources | ||
| Source: | Code function: | 1_2_0040FE9A | |
| Source: | Code function: | 1_2_00413BEE | |
| Source: | Code function: | 1_1_0040CA26 | |
| Source: | Code function: | 1_1_0040FE9A | |
| Source: | Code function: | 1_1_00413BEE | |
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| May try to detect the Windows Explorer process (often used for injection) | Show sources | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Language, Device and Operating System Detection: | |
|---|
| Contains functionality locales information (e.g. system language) | Show sources | ||
| Source: | Code function: | 1_2_0040270C | |
| Source: | Code function: | 1_2_004134B0 | |
| Source: | Code function: | 1_1_004026F0 | |
| Source: | Code function: | 1_1_004134B0 | |
| Contains functionality to query CPU information (cpuid) | Show sources | ||
| Source: | Code function: | 1_2_002D46DF | |
| Contains functionality to query local / system time | Show sources | ||
| Source: | Code function: | 1_2_002D1C3C | |
| Contains functionality to query the account / user name | Show sources | ||
| Source: | Code function: | 1_2_002D46DF | |
| Contains functionality to query windows version | Show sources | ||
| Source: | Code function: | 1_2_00401B9B | |
| Queries the cryptographic machine GUID | Show sources | ||
| Source: | Key value queried: | Jump to behavior | ||
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is maliciousSimulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 11:16:06 | API Interceptor | 149x Sleep call for process: zbetcheckin_tracker_propan.exe modified |
Antivirus Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 44% | virustotal | Browse | ||
| 11% | metadefender | Browse |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Patched.Ren.Gen | ||
| 100% | Avira | TR/Patched.Ren.Gen |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| No Antivirus matches |
|---|
Yara Overview |
|---|
Initial Sample |
|---|
| No yara matches |
|---|
PCAP (Network Traffic) |
|---|
| No yara matches |
|---|
Dropped Files |
|---|
| No yara matches |
|---|
Memory Dumps |
|---|
| No yara matches |
|---|
Unpacked PEs |
|---|
| No yara matches |
|---|
Screenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
