Troj/ZbotMem-B

Category: Viruses and Spyware Protection available since:02 Mar 2011 15:46:43 (GMT)
Type: Trojan Last Updated:22 Oct 2015 07:30:05 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/ZbotMem-B is in-memory detection for Zbot.

 

Zbot is an information stealing Trojan that primarily targets online banking websites.

 

Zbot has the capability to steal a large array of different types of information including login credentials entered into web forms and FTP program passwords.

 

Zbot is able to inject extra code into webpages as they are browsed which can prompt the user to enter extra information useful to the attacker.

 

For further information on Zbot please see: What Is Zeus?

Examples of Troj/ZbotMem-B include:

Example 1

File Information

File type
Windows executable

Example 2

File Information

Size
169K
SHA-1
0faa779a2799b2a0821ae0f77b355b700d809a2e
MD5
d5cab01ed1681efe1edb55b990cc63c6
CRC-32
ba19742d
File type
Windows executable
First seen
2010-10-05

Example 3

File Information

File type
Windows executable

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Elag\abqau.exe
    Size
    243K
    SHA-1
    946950714abe59ce92e10c1ed8f35a139fe373ed
    MD5
    136820d48bd409bca38331f9306b0d8c
    CRC-32
    a43e3a08
    File type
    Windows executable
    First seen
    2015-07-08
  • c:\Documents and Settings\test user\Application Data\Opozu\anxes.viq
    Size
    279
    SHA-1
    41eb7d84581d280bdc5a7cd1503ad7f55cd034f0
    MD5
    40883dc4f0ebe9bb5fa19bc98adb89bd
    CRC-32
    da00c061
    File type
    Unspecified binary - probably data
    First seen
    2015-07-08
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Yxubf
    Yrefu
    B□□ ?□□|□□□□ □□`5□□6□□i□□□□□□□P□□□□□P□□□1□@f□□□□□□□P□□@□□□□□0□□@□□□□□□□□0\□`?□□*□`H□ □□□□□`□□□[□□□□p}□P\□□□□□□□□□□`□□□□□`□□□□□□□□PI□`□□□□□□□□@□□p□□□□□□7□@s□□□□pA□□□□□□□□□□0#□02□@□□□K□□6□p%□□□□□□□`□□□□□P□□□□□`□□P/□□□□□□□pb□□□□□b□□'□□□□□□□ ]□□f□□t□□5□□X□@□□0□□@□□□5□□P□□_□□n□□□□□*□ □□□□□`□□□□□@□□□2□□□□□□□P^□□□□□□□□□□□□□□□□@d□□W□□□□p□□p□□□□□□□□□'□□□□0□□□G□□□□□C□□4□0□□pV□□□□□L□□□□pS□ □□□□□`)□□□□□j□□□□□6□□□□□□□□D□`□□□□□□Q□`t□□s□ □□□|□□□□□V□`K□□□□`□□□□□□u□@□□□~□□□□□>□PK□0O□□*□p□□0U□□□□□v□ _□p□□□□□□□□□□□□□□□□□□□□ U□p□□P□□□□□@□□□□□p□□□□□`□□Pl□`□□□□□□□□□-□`□□ 4□□U□□□□□□□P□□0m□ □□@@□pf□0□□@[□□p□□□□□□□pi□□□□□□□□□□□P□□□□□□□□v□@□□□$□□+□□d□ □□P.□□□□□□□@□□@P□@□□0"□P□□□{□□□□`□□□]□P□□0□□□□□□"□□□□ "□`p□□□□@□□□j□□□□p&□□□□@d□ □□□r□□□□□□□□P□□□□□7□□c□□□□□□□□□□@&□p%□□□□0□□□□□□□□0m□ [... 142 intervening characters ...] }□PD□□2□`□□0-□□□□□4□□□□0t□□a□□□□□'□□□□□<□□7□`'□□□□ □□□□□□□□0□□0□□□2□□N□p□□□□□□□□`□□□W□P□□0□□0o□□□□@Q□□G□□□□ □□□*□□□□`o□P□□@□□□□□□C□`□□PE□@□□□□□0□□@V□ ;□□□□□□□0y□PT□□□□□□□PG□□□□□w□□□□□□□□F□@□□`
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {88FC4DCE-698C-63E9-7813-08C2850B8E4D}
    "c:\Documents and Settings\test user\Application Data\Elag\abqau.exe"
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\WINDOWS\system32\explorer.exe
    C:\WINDOWS\system32\explorer.exe:*:Enabled:Windows Explorer
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    EnableSPDY3_0
    0x00000000
Registry Keys Modified
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1A10
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    1A10
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    1a 26 6a 32 d8 b9 d0 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\application data\elag\abqau.exe

download Try Sophos products for free
Download now