MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d1774171175d150cc859a71fc56cd6a8132c9c679d3bd5c7f065126ed2a071e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d1774171175d150cc859a71fc56cd6a8132c9c679d3bd5c7f065126ed2a071e
SHA3-384 hash: db8a804d515aea4e4f63ca35d59bdba86590bbf8e9595afc0f20f628bf9f912b885a5718a9b19655344f45a0c7a1b65d
SHA1 hash: 707ab78dab9cf2b5277e668eb1c59be42af6549f
MD5 hash: c247335cbbfc2f607e43773d8c1c0f4a
humanhash: nineteen-pip-winter-spaghetti
File name:1254515.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:863'232 bytes
First seen:2021-03-07 14:09:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 47bd16fd712f8b6c281695a4f8913039 (1 x ZLoader)
ssdeep 12288:pQm8flnW9OGreyhfHGtYOeQZOlR8O7Xb:pQzlnW9OGVfHGtWyInr
TLSH B805E65321B78C9DD06397F6EE4A4BE6E639EC217766DE732A54FCB06020482D9C7243
Reporter nao_sec
Tags:SpelevoEK ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1254515.exe
Verdict:
Malicious activity
Analysis date:
2021-03-07 13:47:46 UTC
Tags:
loader zloader
Link:
https://app.any.run/tasks/d61fd3da-f148-40c9-a75e-ffcc7c3eb81d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122691/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2306.7556.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Delayed reading of the file
Delayed writing of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/630627
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 364282 Sample: 1254515.dll Startdate: 07/03/2021 Architecture: WINDOWS Score: 56 30 Multi AV Scanner detection for submitted file 2->30 32 Machine Learning detection for sample 2->32 34 PE file has a writeable .text section 2->34 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8 1 8->12         started        14 regsvr32.exe 8->14         started        process5 16 iexplore.exe 2 73 10->16         started        dnsIp6 22 192.168.2.1 unknown unknown 16->22 19 iexplore.exe 152 16->19         started        process7 dnsIp8 24 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49726, 49727 FASTLYUS United States 19->24 26 geolocation.onetrust.com 104.20.185.68, 443, 49716, 49717 CLOUDFLARENETUS United States 19->26 28 7 other IPs or domains 19->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d1774171175d150cc859a71fc56cd6a8132c9c679d3bd5c7f065126ed2a071e/
Threat name:
Win32.Downloader.ZLoader
Create hunting rule
Status:
Malicious
First seen:
2021-03-07 14:10:08 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bulxifyroxivbteftjy7yvwnnkatfsogphj32xd7azisn3jka4pa._file
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:googleaktualizacija campaign:googleaktualizacija2 botnet trojan
Link:
https://tria.ge/reports/210307-b1bvt6avmj/
Behaviour
Suspicious use of WriteProcessMemory
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Unpacked files
SH256 hash:
0d1774171175d150cc859a71fc56cd6a8132c9c679d3bd5c7f065126ed2a071e
MD5 hash:
c247335cbbfc2f607e43773d8c1c0f4a
SHA1 hash:
707ab78dab9cf2b5277e668eb1c59be42af6549f
Link:
https://www.unpac.me/results/659ad442-664e-448e-a216-aa605d6e746b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d1774171175d150cc859a71fc56cd6a8132c9c679d3bd5c7f065126ed2a071e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/122691/

Comments


Avatar
Rony commented on 2021-03-11 18:24:08 UTC

CAPE Payload Extraction: https://www.capesandbox.com/analysis/123861