MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04dc453eef135fdf917b2cfd671246cc9d4273f7c9c770fad407ef714bed02dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 04dc453eef135fdf917b2cfd671246cc9d4273f7c9c770fad407ef714bed02dc
SHA3-384 hash: 51d34b02e4d54473e1d69fa5c240c6caa6c52a0b3cc8234645a0358f59627975aa6a2c846b035410e1d69631dd22e50b
SHA1 hash: 3a43fcba90ce677ddcf5d134e810d1954671b29d
MD5 hash: 126dc987935804de8ceb101ae29c4922
humanhash: three-shade-three-double
File name:zloader_1.15.0.0.vir
Download: download sample
Signature Chthonic
File size:229'828 bytes
First seen:2020-07-19 19:23:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 07ba8658123c37047bc78595c8d71dc5
ssdeep 3072:sLtRzMQIw7N+R4/SbGCHDGVsakIA9bzS+dvpKptMKnbsBhY7Pd:YH4P/MSFHDGVsdIA9bzDdsptLnbsDi
TLSH 6F24E0546D930857F5914D76D7EE8BC29DBE6C17374320AFC780382C10B87897AA1EBA
Reporter @tildedennis
Tags:Chthonic ZLoader


Twitter
@tildedennis
zloader version 1.15.0.0

Intelligence


File Origin
# of uploads :
1
# of downloads :
16
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247245 Sample: zloader_1.15.0.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Sigma detected: Drops script at startup location 2->40 42 Machine Learning detection for sample 2->42 8 zloader_1.15.0.0.exe 2->8         started        12 wscript.exe 1 2->12         started        process3 dnsIp4 34 1.15.0.0 CLOUDFLARENETUS China 8->34 44 Tries to detect sandboxes / dynamic malware analysis system (file name check) 8->44 46 Contain functionality to detect virtual machines 8->46 48 Contains functionality to inject code into remote processes 8->48 50 4 other signatures 8->50 14 cmd.exe 2 8->14         started        18 zloader_1.15.0.0.exe 8->18         started        20 zloader_1.15.0.0.exe 8->20         started        24 31 other processes 8->24 22 zloader_1.15.0.0.exe 12->22         started        signatures5 process6 file7 32 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 14->32 dropped 52 Command shell drops VBS files 14->52 54 Drops VBS files to the startup folder 14->54 26 conhost.exe 14->26         started        56 Tries to detect sandboxes / dynamic malware analysis system (file name check) 22->56 58 Writes to foreign memory regions 22->58 60 Allocates memory in foreign processes 22->60 62 2 other signatures 22->62 28 cmd.exe 1 22->28         started        signatures8 process9 process10 30 conhost.exe 28->30         started       
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2017-01-27 21:07:47 UTC
AV detection:
28 of 31 (90.32%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Program crash
Program crash
Drops startup file
Drops startup file
UPX packed file
UPX packed file
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments