MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2e73ee6ab0ad79e0cd537bd856d9e694851912283bca7fb73eb3fc335528353. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ZLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	f2e73ee6ab0ad79e0cd537bd856d9e694851912283bca7fb73eb3fc335528353
SHA3-384 hash:	5376b259a1e77454aad3e4b7b54a26bc2cb1980591e39f48687d0d76b210c44cb6f10f9ad3ef97a90aafd8ea4afd1729
SHA1 hash:	19d51e298f43c00af96861f1f6ffaf39132a187d
MD5 hash:	1c48729a2cfa0b985e36818822858436
humanhash:	charlie-four-sixteen-stairway
File name:	a.dll
Download:	download sample
Signature	ZLoader Create hunting rule
File size:	463'360 bytes
First seen:	2020-04-17 16:25:48 UTC
Last seen:	2020-04-17 16:40:51 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	15b640fcb05bb05afbc2b524444e30a6 (1 x ZLoader)
ssdeep	6144:Y+IE4Q4Cz+Fq+al/2mtGyt+9YtPc5wnx8D9lC+uQcorwgy82+5yRGAE78:BtyFq1l/lEU+9YK5IGjbuQUgy8j2EI
Threatray	43 similar samples on MalwareBazaar
TLSH	9AA4F12177DAC075E2A36479ED2EF9624D09BCC00E246CE7F648E94A5D7F2E14A34C27
Reporter	abuse_ch
Tags:	dll ZLoader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Generic.mg.1c48729a2cfa0b98.22496.UNOFFICIAL

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2020-04-17 16:35:23 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

22 of 31 (70.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ltt5zvlbllz4dgvg66yk3m6nfefdejcqo6kp63t5m74gnksqnjq._file

Verdict:

malicious

Label(s):

zloader

gozi

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

DLL dll f2e73ee6ab0ad79e0cd537bd856d9e694851912283bca7fb73eb3fc335528353

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/342496/

https://twitter.com/DynamicAnalysis/status/1251163062628831239

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW KERNEL32.dll::GetWindowsDirectoryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample