MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f27183fd7586c6eaca1f6aaed3a7c3c6e52894e23b9656c3953318a85bbbec5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ZLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	f27183fd7586c6eaca1f6aaed3a7c3c6e52894e23b9656c3953318a85bbbec5d
SHA3-384 hash:	a4d6bb012703e55e597e6fc1fa5be4840e7bb4281fe17bc404dbe0bd74ea1b240ee8c66d0e597fbf75d2014bf144fb3c
SHA1 hash:	cbba6022d8d3ee0395318980b6b202440f5e040c
MD5 hash:	0f93065241446192354ef110e45047d0
humanhash:	carpet-hydrogen-march-five
File name:	SecuriteInfo.com.Generic.mg.0f93065241446192.16251
Download:	download sample
Signature	ZLoader Create hunting rule
File size:	372'736 bytes
First seen:	2020-04-09 12:45:45 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	2577f2cf193fc75add086dfe65bc3c0d (3 x ZLoader)
ssdeep	6144:gzAILNLdvVA988yVzjtSYnYFNcE2mzWHRYLk1KZELZkwhg2x9xbYn4g2zlw:gLZ6lyVJn4NjzW9wZELOqc4g
Threatray	78 similar samples on MalwareBazaar
TLSH	6F8402283FA78073D802D97992E603E56E7D58C32AB94457AFD4EEDC7274CD912293B0
Reporter	SecuriteInfoCom
Tags:	ZLoader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Generic.mg.0f93065241446192.16251.UNOFFICIAL

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Jxtaigo

Status:

Malicious

First seen:

2020-04-09 10:34:15 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

21 of 31 (67.74%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6jyyh7lvq3dovsq7nkxnhj6dy3ssrfhcholfnq4vgmmkqw535roq._file

Verdict:

malicious

Label(s):

zloader

gozi

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

DLL dll f27183fd7586c6eaca1f6aaed3a7c3c6e52894e23b9656c3953318a85bbbec5d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/337196/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid ADVAPI32.dll::InitializeSecurityDescriptor
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::SetSecurityDescriptorDacl ADVAPI32.dll::SetSecurityDescriptorGroup ADVAPI32.dll::SetSecurityDescriptorOwner
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::OpenSCManagerA ADVAPI32.dll::OpenServiceA ADVAPI32.dll::QueryServiceStatus ADVAPI32.dll::RegisterServiceCtrlHandlerA ADVAPI32.dll::StartServiceCtrlDispatcherA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample