MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd84bd6db3500e786976d5c10fd2388a46dd5c34f79abd5dff624b9a568637aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd84bd6db3500e786976d5c10fd2388a46dd5c34f79abd5dff624b9a568637aa
SHA3-384 hash: d0efb6b2ba137c95dce7e6bc8d88a4d8a4aabab4697b3e965a251aea318b55e232686d932e2f88a6b0cfb175e4bebef4
SHA1 hash: f015e16c3847edd004aba53f358fe43b28c4f818
MD5 hash: 33a58437b5bc8f91e08960d2faa5f559
humanhash: burger-indigo-low-alabama
File name:june29.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:586'752 bytes
First seen:2020-06-29 15:36:03 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 5293dcd1195993f36858cd07a7835c3f (1 x ZLoader)
ssdeep 12288:wqZWueyN5dS3ioH+5hM+2lraLDjxBRQPe1ZFeg7fQ5om6tc:wqZreyN5derQ/bRrZFdkM
Threatray 149 similar samples on MalwareBazaar
TLSH 9EC49E10B790D039F5BF01F59A76D1AE99387D60AB2488CBB7C52E9F5A24AD0ED30713
Reporter abuse_ch
Tags:dl ZLoader


Avatar
abuse_ch
Malspam distributing ZLoader:

HELO: mailout12.t-online.de
Sending IP: 194.25.134.22
From: Danyel Hardegree <fabian.hoenig@t-online.de>
Subject: Job Application
Attachment: Danyel Resume.xlsm

ZLoader payload URL:
http://205.185.125.104/files/june29.dll

ZLoader C2s:
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16426/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Detection:
zloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dd84bd6db3500e786976d5c10fd2388a46dd5c34f79abd5dff624b9a568637aa/
Threat name:
Win32.Trojan.ZLoader
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 15:37:04 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wcl23ntkahhq2lw2xaq7uryrjdn2xbu66nl2xp7mjfzuvugg6va._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
zloader
Create hunting rule
Similar samples:
26c6d799dffff9bc1a4a8eb24204bd91e4f1694014ba0d6557a0e3e20e64608e
ZLoader
280fedf6fd7e0964222ac9b21bcc289c222c7ea91d7bad6350741bdf8c1f0938
ZLoader
29c222f82d9db373ee755ac832c22540afb8f8708eafe8e96266a02b80759066
ZLoader
42bb5eae534eb2cea979c300b797a65febf291b28aea0b9d8bbea7d0a41bffa2
ZLoader
a81932797aa7e6324dc3390718163035c75620e6a0fa29c146c13c33b654a283
ZLoader
a97b7b2353dc9012b6cb914f6665d0e93f557859411d2e08b942316c09d7b07f
ZLoader
b8cef342a47915615a35aab7333567db7c86570d4d3362470e19b6d0b3dab1af
ZLoader
c8b452572f409a7d0752734334371c900983c8e15cbf8299bda7fe7a33a1047e
ZLoader
df2524f89b7247e931a13644d2c00bbc94095eb8e4755a9db2421bd46f365f7c
ZLoader
f84e08a4d83f63cb37f7117f401c242ecbd3ebbd6b7a12fb99332bcf5950f803
ZLoader
+ 139 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan botnet family:zloader
Link:
https://tria.ge/reports/200629-evyae4waax/
Behaviour
Discovers systems in the same network
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Modifies service
Suspicious use of SetThreadContext
Blacklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_unidentified_023_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZLoader

Excel file xlsm b68f3d5500df3f8de0527d08e4bcacedd23a6d6d8da246dec168696bd4caaa03

ZLoader

DLL dll dd84bd6db3500e786976d5c10fd2388a46dd5c34f79abd5dff624b9a568637aa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/403296/
  
Dropped by
MD5 08ce993617e54d478ba33852b1428443
  
Dropped by
SHA256 b68f3d5500df3f8de0527d08e4bcacedd23a6d6d8da246dec168696bd4caaa03
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/16426/

Comments