PUP.ZoomInfo

Analysis Report

General information

Family Name: PUP.ZoomInfo
Signature status: No Signature

Known Samples

MD5: c166f0105d25a533ed6ce410f22e0861
SHA1: edeaff1b44744a863f378e8578e3f4e345c065c6
SHA256: CCB1A8D57C58029E2D4AE4EAE367E27AD7C15C7A3F172649B75F97A214D58766
File Size: 265.60 KB, 265600 bytes
MD5: 240363b6c70a1088c700e720731969ed
SHA1: c9267952a8e68ab4609ec97fc59b0db3cafda3d4
SHA256: 376B2E3C45C78781B10A2D026A046DA7A1F0A2E544848B4B658BA0A2820B08A5
File Size: 232.59 KB, 232592 bytes
MD5: 680696e6d61a3f2273b23cc2866cba42
SHA1: 852c45afc61233358eebb3604d16adc8c3732c33
SHA256: 11FD33273DDD19319BE40EFD04AB687DD6EF0835968BAB005481C90AFDF60F4E
File Size: 248.77 KB, 248770 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
File Version
  • 67
  • 65
  • 62
Legal Copyright
  • (c) Zoom Information, Inc.
Product Name
  • ZoomInfo Contact Contributor
Product Version
  • 67
  • 65
  • 62

Digital Signatures

Signer Root Status
Zoom Information Inc. DigiCert EV Code Signing CA (SHA2) Self Signed
ZoomInfo Technologies LLC DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed

File Traits

  • Installer Manifest
  • nosig nsis
  • Nullsoft Installer
  • x86

Block Information

Total Blocks: 101
Potentially Malicious Blocks: 0
Whitelisted Blocks: 99
Unknown Blocks: 2

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.M
  • Agent.MH
  • Agent.MI
  • Agent.MU
  • Autorun.LA
Show More
  • Chapak.HBX
  • CobaltStrike.GI
  • CobaltStrike.GIA
  • FakeAV.AU
  • MSILZilla.TC
  • Rozena.XC
  • Trojan.Agent.Gen.VN

Files Modified

File Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_rnbd4ucf.cty.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_w1ijbwku.ved.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\fccoordinator.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsi88ba.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso551a.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso551a.tmp\getversion.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso551a.tmp\getversion.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso551a.tmp\nsisdl.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso551a.tmp\nsisdl.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso551a.tmp\system.dll Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\nso551a.tmp\system.dll Synchronize,Write Attributes
c:\users\user\downloads\installer_opened.txt Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Mkwtehwm\AppData\Local\Temp\nso551A.tmp\ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::failed_count RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes (NULL) RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes  RegNtPreCreateKey
Show More
HKCU\software\microsoft\edge\elfbeacon::version 140.0.3485.81 RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᎓냕鑩ǜ RegNtPreCreateKey

Windows API Usage

Category API
Network Winsock2
  • WSAStartup
Network Winsock
  • closesocket
  • connect
  • gethostbyname
  • inet_addr
  • recv
  • send
  • socket
Process Shell Execute
  • CreateProcess
  • ShellExecute
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
Show More
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ZwMapViewOfSection
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

open http://cswapper.freshcontacts.com/client/installfailure?client_version=62&failure_point=DetermineOutlookCompatibility&os_version=Windows 6.2 9200 64 [ ]&outlook_version=none&outlook_bitness=none&client_id={931EC846-A945-4419-8ED1-09D94B94A258}&error_message=&reachout=true&appid=5
powershell -WindowStyle Hidden -Command "$ProgressPreference = \"SilentlyContinue\"

Trending

Most Viewed

Loading...