MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37
SHA3-384 hash: d0b55affb30837a8a072df823ac92eff4072f226da6c44678bfc3e7cd4d0e73d58f4fbf72b90f5c16735860f98cea339
SHA1 hash: 384f07648c732cd9490b7d3bff41ce5a0911b138
MD5 hash: 7bebb1b85a609733df0b3205406723bb
humanhash: moon-florida-skylark-beryllium
File name:cYNhXOc.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:520'192 bytes
First seen:2020-07-28 23:07:02 UTC
Last seen:2020-07-30 10:55:54 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 86c1e0a461193fe42a57cf189b0c274d (1 x ZLoader)
ssdeep 6144:pThNEjn8Y+DbK916qEs+9RE3ZiK8jhUIBJawdcM+G7z7oqlpQYkYXlcYS:Zbg8Y+Db7qEs+MJZChUIBMvZA1kGd
Threatray 106 similar samples on MalwareBazaar
TLSH BEB45C21BBA0C422F976177488F3C694B1B97DC58B75C2CBB0C62D6F292B6E19D70346
Reporter malware_traffic
Tags:dll ZLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34049/
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/401053
Signature
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252653 Sample: cYNhXOc.dll Startdate: 29/07/2020 Architecture: WINDOWS Score: 56 26 g.msn.com 2->26 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Multi AV Scanner detection for submitted file 2->30 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        13 regsvr32.exe 9->13         started        process6 15 iexplore.exe 12 85 11->15         started        process7 17 iexplore.exe 5 144 15->17         started        dnsIp8 20 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49763, 49764 YAHOO-DEBDE United Kingdom 17->20 22 pagead.l.doubleclick.net 172.217.18.162, 443, 49746, 49747 GOOGLEUS United States 17->22 24 19 other IPs or domains 17->24
Detection:
zloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 23:08:07 UTC
File Type:
PE (Dll)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
zloader
Create hunting rule
Similar samples:
213ccc660b77060313c9842e1d2d0215b5909235d54140daa21f0110c50e4715
ZLoader
414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2
ZLoader
5013dc9e2ddbe9ddd90af638466379f876b70ebe504d62e72ed166480a4d4f83
ZLoader
701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e
ZLoader
a8c452946e291216b7bba41b8e7f9a3eb5ee9178c9559e4b5017ed832d90b94f
ZLoader
e39fd52523f742331dc20ee90a051e456561481ef4c360a40ffaac292cb6c37b
ZLoader
e3f6a7a2d6628adf2956c3c1f387c2bd178b48e170a71368ae3e7f8c20b8e213
ZLoader
e43fb62c12fcf1be9f9982e81a59350a8f9dd2389198c0b332cef832a63aac0f
ZLoader
e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818
ZLoader
e93b9a00886b7a569dc09337361d246c4ac74d3a061579ea4ad33b9ad19f7bde
ZLoader
+ 96 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
trojan botnet family:zloader persistence spyware
Link:
https://tria.ge/reports/200728-dgaye9ycja/
Behaviour
Gathers network information
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Discovers systems in the same network
Suspicious use of SetThreadContext
Modifies service
Reads user/profile data of web browsers
Blacklisted process makes network request
Suspicious use of NtCreateUserProcessOtherParentProcess
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://vlcafxbdjtlvlcduwhga.com/web/post.php
https://softwareserviceupdater3.com/web/post.php
https://softwareserviceupdater4.com/web/post.php
2b4@jfhu#sd43fd!42d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

DLL dll 02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/421154/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34049/

Comments