Analysis Zbot Banking Trojan

This is Zbot malware family of malware. This is banking Trojan which steals user credentials by injecting malicious DLL into Browsers. This has Anti-VM and Anti-debugging techniques embedded in samples. It will drops EXE files with making registry entry for persistence. And has more features which will see in details in below report.

   Identification

File Name	sample_1.exe
File Size	51,204 bytes
File Type	PE-EXE
MD5	5523530941c409b349ef40fa9415247e
SHA1	df7e46e629d2f9f1444298dc9c1350d0ec726817
SHA256	5564bed78d23ad0ad198a0dbbf4196f5fdcc1eb8529673941736db18c3257e0b
SSDEEP	1536:kmm/KVQyVwfneeoXtc4awZ/SlcXQ/0WA1hB:kmhOTfneeoFa4/Slcg/0VB

  Characteristics

a.     Samples is Customized UPX pack.

b.     It has Anti-VM and Anti-debugging techniques.

c.     It drops files in “Application Data folder”.

d.     It injects code in “svchost” files.

e.     Creates Registry entry in RUN.

Dependencies

a.     Works on both 32 and 64 windows OS.

b.     Kernel32.dll for basic process, file related activities

c.     WS2_32.dll, WININT.dll for Network activity

d.     ADVAPI32.dll for registry activity.

Behavioral and Code analysis findings (Detailed Analysis Report)

Step 1:

a.     File is customized UPX packed file.

b. Entry point after unpacking is 405805

Step 2: Anti Debugging and AntiVM Techniques

a.     IsDebuggerPresent

b. Heap Flag checking

c.   Sample also checks “dbghelp” and “sbiedll” for checking if any debugger is running

d.  Anti-VM techniques: This sample quries the registry value(SYSTEM\CurrentControlSet\Services\Disk\Enum\). It checks for different types virtual machine like “xen”, ”vmware”, “qemu”, “virtual”

These are some of the major Anti-debugging techniques are used by Malware.

Step 3: Injecting into process

Injecting into system processes like csrss.exe, lsass.exe, lsm.exe, services.exe, smss.exe, svchost.exe.

After injecting code into system processes, malware executes the process by using “CreateRemoteProcess” API or “CreateProcessInternalA” API.

Injected process “svchost.exe” file drops the file in “AppData” or “Temp” or “Application Data” folder with a random named folder and Random named file.

 Sample also makes the registry entry in “Run” for dropped file for persistence.

Sample checks the network connectivity by querying “msn.com”.

As this is Zbot family, it tries to connect following malicious web links. 

And Malicious links are “hxxp://pleak.pl/index.php, hxxp://sngroup.pl/index, hxxp://freemart.pl/index”.

It generates CRC32 hash of Computer Name which will be used to identify particular machine uniquely

Dropped file has following CnC command stored in it. Which it will tries to connect CnC server and do other malicious activity.

CRC32 of Computer name is used as unique identification while connecting to CnC server and it will also send system info to CnC server. It also informs about user account as well, like admin or guest.

     Once it connects to malicious BOT network it downloads different malicious files.

Above analysis is done without connecting to Network. For complete BOTNET related analysis we needs to connect to network. After network connection, we can check complete behavior of BOT through all CnC commands. We can also do complete Network analysis by using either Wireshark or Fiddler.