MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2
SHA3-384 hash: d9c6407aad985ed11f3b3eba395b8642886ed6f835851be05daff6a0bdcd2708467a4529f2fe83b936480ac59dd68898
SHA1 hash: 0c53b71e52a382f2a920df2d80048b01616c62c4
MD5 hash: 93c0cd9a47c5c28335e773c1f451f200
humanhash: green-arkansas-item-idaho
File name:yfuvqe.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:398'336 bytes
First seen:2020-08-12 18:02:13 UTC
Last seen:2020-08-12 18:51:30 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash eec5ef169ae679a23648b4ebd5ff48c6 (1 x ZLoader)
ssdeep 6144:YqoPAIMMRa7OmHOQrzEGf7QaODWZlBSYIFBavsaxPODT:RoPA0eu64Gf72DGlBho8ED
Threatray 81 similar samples on MalwareBazaar
TLSH EF84B010AB91C038F1BA11F5757A87AC6A3C3EB08B7484CFA2D266EE15356F4AD30757
Reporter malware_traffic
Tags:dll Silent_Night ZLoader


Avatar
malware_traffic
Run method: regsvr32.exe /s [filename]

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44387/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/423521
Signature
(
)
.
a
b
c
D
e
f
g
h
I
k
l
m
n
o
r
S
t
u
w
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 264200 Sample: yfuvqe.dll Startdate: 13/08/2020 Architecture: WINDOWS Score: 48 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 9 loaddll32.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 regsvr32.exe 9->13         started        process5 15 iexplore.exe 14 83 11->15         started        dnsIp6 29 192.168.2.1 unknown unknown 15->29 18 iexplore.exe 5 151 15->18         started        process7 dnsIp8 23 pagead.l.doubleclick.net 172.217.168.66, 443, 49768, 49769 GOOGLEUS United States 18->23 25 id.rlcdn.com 35.244.245.222, 443, 49766, 49767 GOOGLEUS United States 18->25 27 17 other IPs or domains 18->27 21 ssvagent.exe 501 18->21         started        process9
Detection:
zloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 18:04:07 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=32wj64c4nxospfptdoovllhd6ppb4ig6gffqyihruluq7xzftsza._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1db7ceb7b49279e858080a8bd589773871542d86fcca980365fb20eb1fbbc1bf
ZLoader
3326d4607b164078735ee55313992c18e83e6b87b75faf350b8c61a99eb2b659
ZLoader
3bf8fbdad095013493d1b90f5c82880dc57145dfbb54fdf225ded88ba6b1618b
ZLoader
3dd800b875aa0ef2fa0923babdd4b162555a1c3ff3c58e9291d45fff82389816
ZLoader
455c21fbac342659cd4b5cc162772117cce60f6b59f04dba0dd4327868a428eb
ZLoader
b715ce2fa69bc8384df1a4137b50bc30e05c0f3f557fe8608635744543b9976d
ZLoader
b7a306bd407cca438202bfb3b92abff60f959418c7fd129487a6510554ff5706
ZLoader
b8a7600b813dbd100629f8353a30592f21163319ab6229b1b46c2693483b2ae1
ZLoader
ca755b8915cb1025b4b5748e12cd7d3cbdccbcf90fd5986c911b066043d6d136
ZLoader
f28dd082013ee7df2f5956c4e8791e863e575aa64071af9a910826bc12d27acb
ZLoader
+ 71 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
trojan botnet family:zloader
Link:
https://tria.ge/reports/200812-2qdn69qtce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of NtCreateUserProcessOtherParentProcess
Zloader, Terdot, DELoader, ZeusSphinx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nymaim
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44387/

Comments