MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69b37a5b3044cb14a9fc32440212f242e52f657b93306f4b90cccc3087ed4773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69b37a5b3044cb14a9fc32440212f242e52f657b93306f4b90cccc3087ed4773
SHA3-384 hash: e9c057a772051532765c842ab67a2fdd72fea74dae6aa2db48f1803d4d74fd82bf3376581b80d05d7be44cd65185cf9d
SHA1 hash: 30963885db570660a9e768362a6245084f5ded5d
MD5 hash: 88d15eaff1188dd0acfd09715ba03212
humanhash: friend-march-georgia-zebra
File name:april8.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:507'904 bytes
First seen:2020-04-09 07:03:28 UTC
Last seen:2020-04-09 10:37:50 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e14ab21b259dff80767f3ad7c3098031 (1 x ZLoader)
ssdeep 12288:REFP16qoWboF2kAqLoG4znNfNk75t/fEB3ZfydV2W+OOEtR6:RQUW42FqpenNfNI/fg3MdWBH
Threatray 48 similar samples on MalwareBazaar
TLSH 5DB4D0007F91C035F8BA96FA46754B9D682D7D609F2844CB53D7AADE2235AE1DC303A3
Reporter abuse_ch
Tags:dll ZLoader


Avatar
abuse_ch
Malspam sent via SendGrid, distributing ZLoader:

HELO: xtrwsqtf.outbound-mail.sendgrid.net
Sending IP: 167.89.100.127
From: James Johnson <25@jdscentral.com>
Subject: Hiring
Attachment: James Johnson Resume.xls

ZLoader payload URL:
http://march262020.com/files/april8.dll

Intelligence

File Origin
# of uploads :
3
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Troj.Spy-BAL.10128.2411.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Zbot
Create hunting rule
Status:
Malicious
First seen:
2020-04-09 00:01:00 UTC
File Type:
PE (Dll)
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngzxuwzqitfrjkp4gjcaeexsilss6zl3smyg6s4qztgdbb7ni5zq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
096dda9c010522a17fbdbfda2caa8b3a3d88aecafd0287df082f2ca30fcc0e8a
ZLoader
19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4
ZLoader
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba
ZLoader
3e3fcbd20c7c3ab29be624b784fcee54589c78d80b97f3ffba776140b392bc19
ZLoader
55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da
ZLoader
8a581dba18ce5bc9819c559a8d9fec2591f6417fb563d630d71c23b8a99118bc
ZLoader
9e62cd00483118b0da443e30643f712bd93de44400c80361a369ad5c18128655
ZLoader
c0b72720ea048f69d5b11be9b0588952b5c5769fbabada15366d4b2eb4e72e1b
ZLoader
dffe08ed62a1fa304bba04af96dd54aee04140211093eade8548a4e667a53a42
ZLoader
ec0f8a5cc597e97224b6f32f462a1e97f10380c2c45ea31a89059c1d2c08a003
ZLoader
+ 38 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZLoader

Excel file xls 273abeab1698c742b92475f54d9391ebd002af3b527ea721e0bf663684af1f60

ZLoader

DLL dll 69b37a5b3044cb14a9fc32440212f242e52f657b93306f4b90cccc3087ed4773

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/337196/
  
Dropped by
MD5 c71d71eb2acc28a4a65a18d611aa6132
  
Dropped by
SHA256 273abeab1698c742b92475f54d9391ebd002af3b527ea721e0bf663684af1f60
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::SetEntriesInAclA
ADVAPI32.dll::InitializeSecurityDescriptor
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ControlService
ADVAPI32.dll::CreateServiceA
ADVAPI32.dll::RegisterServiceCtrlHandlerA
ADVAPI32.dll::StartServiceCtrlDispatcherA

Comments