MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c44e8d9dba3b4a4cc835b460e69d336347fd3fbfb67621d7cd6e8723976607ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ZLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	c44e8d9dba3b4a4cc835b460e69d336347fd3fbfb67621d7cd6e8723976607ce
SHA3-384 hash:	22314530ee191b7a5646e5165da32edfacc1a69d68f7ea49730dc65cccca51ebc70f5d6dd66b371c3450e2f43df5b6d8
SHA1 hash:	5968af5712ed674222f202e852fc7c701f53675d
MD5 hash:	0902d2d1c81c2118e5ab65b8641bd3ed
humanhash:	butter-alanine-aspen-enemy
File name:	april8.dll
Download:	download sample
Signature	ZLoader Create hunting rule
File size:	372'736 bytes
First seen:	2020-04-09 14:13:48 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	2577f2cf193fc75add086dfe65bc3c0d (3 x ZLoader)
ssdeep	6144:gzAILNLdvVA988yVzjtSYnYlNcE2mzWHRYLk1KZELZkwhg2x9xbYn4g2zlw:gLZ6lyVJn4NjzW9wZELOqc4g
Threatray	78 similar samples on MalwareBazaar
TLSH	9E8402283FA78073D802D97992E603E56E7D58C32AB94457AFD4EEDC7274CD912293B0
Reporter	James_inthe_box
Tags:	dll ZLoader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Genkryptik

Status:

Malicious

First seen:

2020-04-09 14:13:33 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

21 of 31 (67.74%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yrhi3hn2hnfezsbvwrqonhjtmnd72p57wz3cdv6nn2dshf3ga7ha._file

Verdict:

malicious

Label(s):

zloader

gozi

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/337196/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid ADVAPI32.dll::InitializeSecurityDescriptor
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::SetSecurityDescriptorDacl ADVAPI32.dll::SetSecurityDescriptorGroup ADVAPI32.dll::SetSecurityDescriptorOwner
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::OpenSCManagerA ADVAPI32.dll::OpenServiceA ADVAPI32.dll::QueryServiceStatus ADVAPI32.dll::RegisterServiceCtrlHandlerA ADVAPI32.dll::StartServiceCtrlDispatcherA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample