MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3648fe001994cb9c0a6b510213c268a6bd4761a3a99f3abb2738bf84f06d11cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ZLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	3648fe001994cb9c0a6b510213c268a6bd4761a3a99f3abb2738bf84f06d11cf
SHA3-384 hash:	1428b1f891638fa228c4e429b55c9980bc38f17436f7fe676f29661033e003a9140b2c29234fe231d159bec9a4a05cb2
SHA1 hash:	5677f26e926c8c8d7f7bf7eb085a9e48549a268b
MD5 hash:	fa9b3dfdb4b97dfe0db5991472f89399
humanhash:	harry-crazy-mobile-island
File name:	f.dll
Download:	download sample
Signature	ZLoader Create hunting rule
File size:	524'288 bytes
First seen:	2020-04-20 15:42:05 UTC
Last seen:	2020-04-20 19:45:42 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	01479b33d2951ecc29b271a819f667d9 (1 x ZLoader)
ssdeep	12288:7do6GchQc7N2h17L0/BRHdziwBAoXkW1SnyAP7:7O6G0Qc7Ne1c/BRH5JUfz
Threatray	43 similar samples on MalwareBazaar
TLSH	51B4E112B668FA9CE8B05138CC48E1740D76EC5AADB742C7B0993ADF97EE3710F06125
Reporter	abuse_ch
Tags:	dll ZLoader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Generic.mg.fa9b3dfdb4b97dfe.22979.UNOFFICIAL

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Zbot

Status:

Malicious

First seen:

2020-04-20 16:28:42 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

23 of 31 (74.19%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gzep4aazstfzyctlkebbhqtiu26uoyndvgptvozhhc7yj4dnchhq._file

Verdict:

malicious

Label(s):

zloader

gozi

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

DLL dll 3648fe001994cb9c0a6b510213c268a6bd4761a3a99f3abb2738bf84f06d11cf

(this sample)

ZLoader

DLL dll dd11381223ab1902db2963df4cbe3299e42064a5857545560f913647c1f70c5a

URLhaus

https://urlhaus.abuse.ch/url/346908/

https://twitter.com/DynamicAnalysis/status/1252259631042301957

Delivery method

Distributed via web download

Dropping

SHA256 dd11381223ab1902db2963df4cbe3299e42064a5857545560f913647c1f70c5a

Dropping

MD5 133b1861b3590bf00308509227f82872

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_USER_API	Performs GUI Actions	USER32.dll::FindWindowA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample