MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca1b4e983030b69980269bb1335ba3baad6870024f564495ef99f5b98e4d07d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca1b4e983030b69980269bb1335ba3baad6870024f564495ef99f5b98e4d07d3
SHA3-384 hash: fc43000dabfe2ad768e827a80969b16525000698a8a4908e0628cb37cea336ffc192c7ed9c1e39ad259433dd75690a45
SHA1 hash: 1fe422d59e004dbddfcd0529cdaa261302672bb9
MD5 hash: f43f52bd2169e602979539ebd3ea3013
humanhash: cola-yellow-magazine-crazy
File name:spa.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:311'128 bytes
First seen:2020-06-25 06:56:48 UTC
Last seen:2020-06-25 07:39:56 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash eb5012795a3efc7b72972894ed9ba4de (1 x ZLoader)
ssdeep 3072:p73VN/OHOmOp3GN2e3nXHh5gnlpecmZcy06g32ZkYT7trQH4PtvMC88/m72N:xVN/cVk62eX3Inrq+732ZkYTaMkCkqN
Threatray 85 similar samples on MalwareBazaar
TLSH 0464E045512F443FEC8AA7B2B4D8E5BB4D154CBA2BECB29AD78161E878C437412316CF
Reporter abuse_ch
Tags:dll ZLoader


Avatar
abuse_ch
Malspam distributing ZLoader:

HELO: smtp4.hiworks.co.kr
Sending IP: 121.254.168.203
From: Country government <ajm@jwsn.co.kr>
Subject: Leave a review confidentially about Whose Lives Matter
Attachment: inv_281.xls

ZLoader payload URL:
https://newhopedream.com/spa.dll

ZLoader C2:
axisbasis.xyz

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13950/
Detection(s):
SecuriteInfo.com.Mal.Cerber-AL.20423.7473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Detection:
zloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ca1b4e983030b69980269bb1335ba3baad6870024f564495ef99f5b98e4d07d3/
Gathering data
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
00272dd639402fa76db43207d074fe52d4849e5d46008f786b944a789b09afc2
ZLoader
02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37
ZLoader
0829886e0ca34a32fa545e0a53d7a2208d963b7b826a14aefde94d9ff4f549e5
ZLoader
23843640cfae43671a48b17dc4fe585a8e37e3767039f82448077c5b54694a57
ZLoader
3712c1a9e9ab864ee28897d0802179db4a2f664f61629f1154437640be377530
ZLoader
5557fd15d615f360af1aefa6a7e2bed3382e26bdabb08d7e5a8f0f9387449f3a
ZLoader
8a07427bbf6b92d273580d2806da69c0059aa574a63dad2bd061445c985d67be
ZLoader
badc87166cc28491dcae0164e7dc027aeb4b98eea5f765f776f58d8683cdec6a
ZLoader
c653365657fbf65429ad845d0a0d93106e972aca929739560ff4b4796bd2be08
ZLoader
eecaf5677c5c21d268261eef35a819549dda3c454e9b60e368070aa3bfd2f54c
ZLoader
+ 75 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
trojan botnet family:zloader
Link:
https://tria.ge/reports/200625-11g7rldl8a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Zloader, Terdot, DELoader, ZeusSphinx
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZLoader

Excel file xls 815d71524ed41e28a38222c821ce848ae6e6b925c0ea620d5bdc1aa66e58fa73

ZLoader

DLL dll ca1b4e983030b69980269bb1335ba3baad6870024f564495ef99f5b98e4d07d3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/401891/
  
Dropped by
MD5 9f0fbc1d2351ee426c0c715bb9688612
  
Dropped by
SHA256 815d71524ed41e28a38222c821ce848ae6e6b925c0ea620d5bdc1aa66e58fa73
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/13950/

Comments