MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8f848f137a23fe046b4701a67d07c8e7e1a8fdb066f318424caede7a1e69530. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8f848f137a23fe046b4701a67d07c8e7e1a8fdb066f318424caede7a1e69530
SHA3-384 hash: d05c37b45de02e493cc2b00a1457e70bccb67a513da6640961de23990cf9469fa45175bfdd267df394d6b16b0c6b106f
SHA1 hash: 9f3770c114956fb31d04ec3020fe4da03a8ac2d4
MD5 hash: 8c6810ccbf8b94ad18edabe648ffd504
humanhash: princess-texas-vermont-apart
File name:readme.exe
Download: download sample
Signature ZLoader
Create hunting rule
File size:356'352 bytes
First seen:2020-05-21 17:12:42 UTC
Last seen:2023-05-24 18:57:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e2a18a21617b199cb1442f0d1af4d37 (1 x ZLoader)
ssdeep 6144:UMLeUFXXI8t9K/uN6qmhCaHA5DZNyI187cMsU5wgsbZv+:JesY8t9KQ6q9WAZNVOAzzr+
Threatray 71 similar samples on MalwareBazaar
TLSH BA749C01F3D0DB32D5170A368D6ED7A0AE29B911BF3512C323562E9E99F43E0562739B
Reporter JoulK
Tags:exe ZLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 17:35:28 UTC
File Type:
PE (Exe)
Extracted files:
73
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06d9d2ca57a92038a7b2d221488fbca768c60f67709061782af105c3cddd2b5e
ZLoader
0ed8342c19d8ff14d83588ca91cc6b5ab6bd811de15f05e5497d62ba25e56365
ZLoader
1052af46484d7951eeeeb53dac926cc6a823bd324538950c48dfc4b2b35f830b
ZLoader
1ab928730305a69a52b7bd52726f07c89c37503b8302ee3edf19abc7d5a8e879
ZLoader
20dedbcf8f882c369ee43d576b08bf1f70a7a7022503c740f2acaa14b1b8da19
ZLoader
54a1f9c8f39feac2378a5e2221e95dc41167cd80d541f448e0ec3e347f183029
ZLoader
b4d9c31cb14ab80709bce2f48870c1f3f2d8296a1df648e4992be0b5501243fd
ZLoader
e05920f0682cee0b79556902689c698b5aee9e3f7c4a0e6ff0f85df3d31b3ce7
ZLoader
e7a131648548c52a2975c6ce4263919aad674e3f54c59539e7fb2ee40f3d8136
ZLoader
f5acccf9cda0f0ff2063de3983bc8964b9020d30feff2e3a8b20800d3c4fe034
ZLoader
+ 61 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:canadaloads campaign:spam botnet persistence trojan
Link:
https://tria.ge/reports/201109-kefnpvgfd6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://23d8s23hs89j239sj23.com/jbYm9bt/NlGkb4ivk.php
https://3reh8rd23js9.com/jbYm9bt/NlGkb4ivk.php
https://4f394j89d3j4d89j34d.com/jbYm9bt/NlGkb4ivk.php
https://d823hrd9239sdj2.com/jbYm9bt/NlGkb4ivk.php
https://js823hs23js.com/jbYm9bt/NlGkb4ivk.php
https://oidjweidj34rd3.com/jbYm9bt/NlGkb4ivk.php
https://qwd8s3j8s23h8s.com/jbYm9bt/NlGkb4ivk.php
https://s28hs823hs823js.com/jbYm9bt/NlGkb4ivk.php
https://wd23h8qsh8qhs823qs.com/jbYm9bt/NlGkb4ivk.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_zloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments