Trojan.Agent.ZFBI

By CagedTech in Trojans

Table of Contents

Analysis Report

General information

Family Name:	Trojan.Agent.ZFBI
Signature status:	No Signature

Known Samples

MD5: 4269937d144c72ac280f36b903d8564f

SHA1: 5d85c10bef2064a780a3edf7e986cf9927e21c2b

SHA256: 3D4D2CEBFD8EC2658837BF6573301AA3A2E00F41F490D6CCAF4F4EA54F17F70F

File Size: 389.63 KB, 389632 bytes

MD5: 58ee4e0de3ab5c3c8cf83807f2eeea6c

SHA1: 99a89dbd9ff8ccdb68d4c9ae3ba875a1a360037a

SHA256: 1C86A520AE1392A0F811DFD89081E02719A1897D2C0D6E459914D9E68D1E3D61

File Size: 527.94 KB, 527942 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File is 32-bit executable
File is 64-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	AppleCheats.cc
File Description	An automatic setup for the FBI client.
File Version	1.2.0.0 1.00
Internal Name	FBI.exe TJprojMain
Legal Copyright	Copyright (C) 2022
Original Filename	FBI-Setup.exe TJprojMain.exe
Product Name	FBI-Setup Project1
Product Version	1.2.0.0 1.00

File Traits

Installer Version
x64

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\lsarpc	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\w32time	Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	툨홷涁ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries		RegNtPreCreateKey
HKCU\software\microsoft\windows\shell\associations\urlassociations\https\userchoice::progid	MSEdgeHTM	RegNtPreCreateKey
HKCU\software\microsoft\windows\shell\associations\urlassociations\https\userchoice::hash	JrUbLuG0NXI=	RegNtPreCreateKey
HKCU\https::url protocol		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ꋁ휪涁ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	떆휽涁ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	⫻흓涁ǜ	RegNtPreCreateKey

HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	흗涁ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	㶨흦涁ǜ	RegNtPreCreateKey
HKLM\software\policies\google\chrome::safebrowsingprotectionlevel		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	麨힇涁ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::frequencycorrectrate		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::polladjustfactor		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::largephaseoffset	˺	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::spikewatchperiod	΄	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::holdperiod		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::localclockdispersion		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::eventlogflags		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::timejumpauditoffset	炀	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::clockadjustmentauditlimit	̠	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::enabled		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::inputprovider		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::allownonstandardmodecombinations		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::crosssitesyncflags		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::resolvepeerbackoffminutes		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::resolvepeerbackoffmaxtimes		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::compatibilityflags	耀	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::eventlogflags		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::largesampleskew		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::signatureauthallowed		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::inputprovider		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::allownonstandardmodecombinations		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::eventlogflags		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::chainentrytimeout		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::chainmaxentries		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::chainmaxhostentries		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::chaindisable		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::chainloggingrate		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::requiresecuretimesyncrequests		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\vmictimeprovider::enabled		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\vmictimeprovider::inputprovider		RegNtPreCreateKey
HKLM\system\controlset001\services\eventlog\system\w32time::typessupported		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\parameters::servicedllunloadonstop		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::utilizessltimedata		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::lastknowngoodtime	耀Ɍ쯭ǐ	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\securetimelimits::securetimelow	耀Ɍ쯭ǐ	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\securetimelimits::securetimehigh	耀Ɍ쯭ǐ	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\securetimelimits::securetimeestimated	耀Ɍ쯭ǐ	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\parameters::servicemain	SvchostEntry_W32Time	RegNtPreCreateKey
HKLM\system\controlset001\services\eventlog\system\w32time::providerguid	{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}	RegNtPreCreateKey
HKLM\system\controlset001\services\eventlog\system\w32time::eventmessagefile	C:\WINDOWS\SYSTEM32\w32time.DLL	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\parameters::servicedll	C:\WINDOWS\SYSTEM32\w32time.DLL	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::dllname	C:\WINDOWS\SYSTEM32\w32time.DLL	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::dllname	C:\WINDOWS\SYSTEM32\w32time.DLL	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\vmictimeprovider::dllname	%SystemRoot%\System32\vmictimeprovider.dll	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::specialpolltimeremaining		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::phasecorrectrate		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::minpollinterval		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::maxpollinterval		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::updateinterval	繀	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::maxnegphasecorrection	티	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::maxposphasecorrection	티	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpclient::specialpollinterval	耀	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::announceflags		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::maxallowedphaseoffset		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\config::clockholdoverperiod	썐	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\timeproviders\ntpserver::enabled		RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\parameters::ntpserver	time.windows.com,0x9	RegNtPreCreateKey
HKLM\system\controlset001\services\w32time\parameters::type	NTP	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	䵿ힷ涁ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	슴ퟌ涁ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	廨ퟩ涁ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager\power::hiberbootenabled		RegNtPreCreateKey
HKLM\software\policies\microsoft\windows defender security center\app and browser protection::disallowexploitprotectionoverride		RegNtPreCreateKey
HKLM\software\policies\microsoft\windows\system::enablesmartscreen		RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\gamedvr::appcaptureenabled		RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAccessCheckByType ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcAcceptConnectPort ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePort ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext Show More ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreateNamedPipeFile ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtImpersonateAnonymousToken ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationObject ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetSecurityObject ntdll.dll!NtSetTimer2 ntdll.dll!NtSetTimerEx ntdll.dll!NtSetValueKey ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTerminateProcess ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtTraceEvent ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtUnsubscribeWnfStateChange ntdll.dll!NtUpdateWnfStateData 8 additional items are not displayed above.
Service Control	OpenSCManager OpenService
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess
Network Urlomon	URLDownloadToFile
Other Suspicious	SetWindowsHookEx

Shell Command Execution


							C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c start https://www.sordum.org/9480/defender-control-v2-1/ 2>nul


							C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List


							C:\WINDOWS\System32\Wbem\WMIC.exe WMIC  /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List


							C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c WMIC CPU Get VirtualizationFirmwareEnabled


							C:\WINDOWS\System32\Wbem\WMIC.exe WMIC  CPU Get VirtualizationFirmwareEnabled


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c C:\Windows\VC_redist.x64.exe /setup /q /norestart 2>nul


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c start https://www.google.com/chrome/ 2>nul


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c C:\Windows\VC_redist.x86.exe /setup /q /norestart 2>nul


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c w32tm /register 2>nul


									C:\WINDOWS\system32\w32tm.exe w32tm  /register


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c net stop w32time 2>nul


									C:\WINDOWS\system32\net.exe net  stop w32time


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c w32tm /unregister 2>nul


									C:\WINDOWS\system32\w32tm.exe w32tm  /unregister


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c w32tm /register 2>nul


									C:\WINDOWS\system32\w32tm.exe w32tm  /register


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c net start w32time 2>nul


									C:\WINDOWS\system32\net.exe net  start w32time


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c w32tm /resync 2>nul


									C:\WINDOWS\system32\w32tm.exe w32tm  /resync


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c wmic os get version | findstr /R "[0-9]\.[0-9]\.[0-9]"


									C:\WINDOWS\System32\Wbem\WMIC.exe wmic  os get version

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.Agent.ZFBI

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Trust Wallet - Blue Moon Crypto Giveaway Scam

Arashpar.xyz

MacTonic

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen

How to Fix 'macOS cannot verify that this app is...