Troj/ZbotMem-B

Category: Viruses and Spyware Protection available since:02 Mar 2011 15:46:43 (GMT)
Type: Trojan Last Updated:15 Jun 2015 22:23:23 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/ZbotMem-B is in-memory detection for Zbot.

 

Zbot is an information stealing Trojan that primarily targets online banking websites.

 

Zbot has the capability to steal a large array of different types of information including login credentials entered into web forms and FTP program passwords.

 

Zbot is able to inject extra code into webpages as they are browsed which can prompt the user to enter extra information useful to the attacker.

 

For further information on Zbot please see: What Is Zeus?

Examples of Troj/ZbotMem-B include:

Example 1

File Information

Size
169K
SHA-1
0faa779a2799b2a0821ae0f77b355b700d809a2e
MD5
d5cab01ed1681efe1edb55b990cc63c6
CRC-32
ba19742d
File type
Windows executable
First seen
2010-10-05

Example 2

File Information

File type
Windows executable

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Efmew\naogh.exe
  • c:\Documents and Settings\test user\Application Data\Insyag\kito.tmp
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {A21F7B35-B42C-7EFB-F918-78DC1727A316}
    "c:\Documents and Settings\test user\Application Data\Efmew\naogh.exe"
  • HKCU\Software\Microsoft\Reqy
    Aperubul
    7*□ L□0I□□□□□□□□K□0U□□A□□□□□L□□□□□□□□□□□□□□`□@□□@□□□□□□0□0m□□□□@□□□1□@□□□D□ □□□j□□□□□□□□□□□□□@9□□□□□u□□M□0□□□□□□z□□=□□□□0□□`□□`□□□□□□□□□2□□0□□n□P□□□□□pV□□9□□□□pn□□□□□□□□s□□□□
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\efmew\naogh.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://tsd1online.com/f_32thg2ihfloeil/yif3hj373959fd/up3/mxconfig.bin
DNS Requests
  • tsd1online.com

Example 3

File Information

Size
152K
SHA-1
533548bd06cbf0c63c25751134a0ec0340d133f0
MD5
6029b85108a392bf6bc8feb87e704a3d
CRC-32
a96f914f
File type
Windows executable
First seen
2010-10-08

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Fiume\revap.ywe
  • c:\Documents and Settings\test user\Application Data\Zeihby\zoid.exe
Registry Keys Created
  • HKCU\Software\Microsoft\Asobme
    Amve
    □□□□□□ □□□<□□□□□□□□□□P□□□□□`□□pO□□L□□q□ □□pE□@□□`□`D□ 7□P□□□b□□□□p□□□□□ F□□□□`l□p□□p@□□x□□□□□□□`Q□□j□`□□□□□P□□□□□ #□@□□0□□□ □ s□□□□□n□ P□□□□□d□`□□@□□P.□@\□p}□@t□□□□□H□□□□`j□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {48DBCECD-61F9-DBB6-AB03-49E1901B80A7}
    "c:\Documents and Settings\test user\Application Data\Zeihby\zoid.exe"
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\zeihby\zoid.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://parais.in/ppnl3.bin
DNS Requests
  • parais.in

download Try Sophos products for free
Download now