MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d63088780e90eda6a7ce286d6b190614f0ea6f1f55c6e6e9d6a30260eb84d03c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d63088780e90eda6a7ce286d6b190614f0ea6f1f55c6e6e9d6a30260eb84d03c
SHA3-384 hash: f155ec3fb4be81734b7c31fb40042e297580c2adf2e8d352f2436cd5f1cda71f8d10d51c42fe204aa4cd2fffdbc10049
SHA1 hash: 976c70ede8d10e825cb9e5bd5da0dd2a251bd0e8
MD5 hash: f40160b2cfe0667cb4010a400a835a06
humanhash: seventeen-four-winner-mountain
File name:april23.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:431'104 bytes
First seen:2020-04-23 13:23:46 UTC
Last seen:2020-04-23 15:54:44 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5cb6c9b4e8a3c623ad37024a14b16a33 (3 x ZLoader, 1 x Gozi)
ssdeep 6144:tZXN7Sgy8WA3gha780p2F2V6voOy5Gn7n0O8N5WYeXmseY1rmWd2KWJ:tjSgyhA30a78rQqIN5te20qWd2KWJ
Threatray 37 similar samples on MalwareBazaar
TLSH 9494AE0076A0C5AAE4B86877DE14D9FC85593C64CF70A8973AD0BF1F7F703E19626A21
Reporter abuse_ch
Tags:dll ZLoader


Avatar
abuse_ch
Malspam campaign sent from Sendgrid mailserver, distributing ZLoader:

HELO: xvfrpbcd.outbound-mail.sendgrid.net
Sending IP: 168.245.59.205
From: John Jamson <ben@letsconstellate.com>
Attachment: John Jamson.xls

ZLoader payload URL:
http://gveejlsffxmfjlswjmfm.com/files/april23.dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2007/
Detection(s):
SecuriteInfo.com.Generic.mg.f40160b2cfe0667c.9428.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Zload
Create hunting rule
Status:
Malicious
First seen:
2020-04-23 13:35:32 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yyiq6aosdw2nj6ofbwwwgigctyou3y7kxdon2owumbgb24e2a6a._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
gozi
Create hunting rule
Similar samples:
0b8585bcbc29e0a8f25118bc695cade9fed7a4676f3ea471bf08c869d8c85b63
ZLoader
372bae872e2a2180f04ff14f8fb9f769d733cb4608d37e2bf6e61fee5d396018
ZLoader
3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9
ZLoader
4553d627f2509e19e9b84491c08ec9854d785df4f74e900b969c57ccd244c086
ZLoader
8aa25ae29c5eeb062b5ae8cf48b5f1381d73298f61ebea9563bcb4f253446065
ZLoader
915fcafe990b9110a4e0994d37f8beda66e80aba5174e686bc1d4de13836a7df
ZLoader
a47685b867e6b164a812a05f35b6732c9b81f1fc75b2a7242c18436a9329d247
ZLoader
c44e8d9dba3b4a4cc835b460e69d336347fd3fbfb67621d7cd6e8723976607ce
ZLoader
cc87e6581ca91f941f65332b2de0e681d58491b54aff9d0b30afae828a5f5790
ZLoader
ee304588666deeca692b1b03be4b69ff4fd5484334ba9d5ea8da8d8ae2464fb7
ZLoader
+ 27 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZLoader

Excel file xls 49ed0e7aed118c46daed37f7d0eb62ab111cf6f9ab295b4b165ce82585539908

ZLoader

DLL dll d63088780e90eda6a7ce286d6b190614f0ea6f1f55c6e6e9d6a30260eb84d03c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/348852/
  
Dropped by
MD5 228003634e57d37f08787be02c0b6c14
  
Dropped by
SHA256 49ed0e7aed118c46daed37f7d0eb62ab111cf6f9ab295b4b165ce82585539908
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/2007/
Cape
Cape
https://www.capesandbox.com/analysis/2006/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::RemoveDirectoryA
KERNEL32.dll::GetTempPathA

Comments