MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23155ae9b7f7b7884dfdc820fd77f7600875dafcf39df4d941240f90fe06ae2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23155ae9b7f7b7884dfdc820fd77f7600875dafcf39df4d941240f90fe06ae2d
SHA3-384 hash: be888c7b034bf923282462924e5d8aad7ac130255b8208ff2f366d91ce09a28d28cc2d8494b66919c22f58f6b8f67504
SHA1 hash: 03491f7013bfdad641f565bc8968abe0fb73bec0
MD5 hash: 2342b45680021bedb91f19f3a1d35512
humanhash: wyoming-finch-blue-maine
File name:A2Bw3s7b8n8.exe
Download: download sample
Signature ZLoader
Create hunting rule
File size:840'246 bytes
First seen:2020-04-24 13:03:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 807fb98878cccb134bc569b1f03c70b7 (1 x ZLoader)
ssdeep 1536:76W33OiR/O9UFnpdpjiodroMN5gt9R+nxnjQaedFrr:7zNOuFpdK9wljQaeT
Threatray 831 similar samples on MalwareBazaar
TLSH B005AF4B35E0543BD5C5C13917F6B6AB932750125623A9CE3A478EA73A783C2EC58BC3
Reporter James_inthe_box
Tags:exe ZLoader

Code Signing Certificate

Organisation:Datamean Technologies LTD
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Apr 10 00:00:00 2020 GMT
Valid to:Apr 10 23:59:59 2021 GMT
Serial number: 243F599AF4D8BC8D1B311431EA865223
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 373BC53FEA9266BCBBAFAA1F30345BB724D6598212BC2ED935214D4FFE81D281
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packed.Regotet-7685942-0
Create hunting rule

SecuriteInfo.com.Win32.Heim.A.10092.24398.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-04-24 04:29:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 31 (96.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=emkvv2nx663yqtp5zaqp257xmaehlwx46oo7jwkbeqhzb7qgvywq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
278e368f49b3dc5e72eb5c81abc8b379167ab4a1ef282c61485dccd5cbd12b8d
ZLoader
2b648f76aaae28bfbe8e9e4be3db323aefd3933a60ad6ec4d1847b78d8282a3f
ZLoader
30c57f5803c861c2d36fc003f855ee9857e4aebc864be6b9f898176f93e3cbd3
ZLoader
562b6f9799bf19a42aa840a2f7178cc11bce20110ade85cf354a57dd0b569824
ZLoader
5804bc1b3709fb141a9886fded0f418553b8a4fb3fbafe8dcd7e7ede5cc55157
ZLoader
6e079394b3a3085d572975115b334d813a79cd5833509b6afa45542687a5dfce
ZLoader
89146747e32e3c641c05585ff782874aeca718398f189a7dc37dd0e9b55895a5
ZLoader
9ee6e02a3e8070a4d501f7033f54d17781d2d4f43bf3b0717e15d63a1fa2e145
ZLoader
b3080e3dea927ae5c6d02fad35de244bf93c1d2594ad0d8cfb3900aaaa014f30
ZLoader
f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
ZLoader
+ 821 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::WOWShellExecute
SHELL32.dll::ShellExecuteA
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetCommModemStatus
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
SHELL32.dll::SHGetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::ReadConsoleOutputCharacterA
KERNEL32.dll::GetConsoleAliasA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::MoveFileA
KERNEL32.dll::BackupWrite
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameA
KERNEL32.dll::DnsHostnameToComputerNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowW
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments