MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dda49ee9286f6c433dd46056c690d02d2e7dea1f96e01dbe148136891d01bbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 1dda49ee9286f6c433dd46056c690d02d2e7dea1f96e01dbe148136891d01bbd
SHA3-384 hash: e6fa978604068af66ce8158254d36ed18701436464ccc462ea2ad75272d2b7ff9cfb1dc88e1b500d48c4911876121437
SHA1 hash: b785e3e416fe5a64dd518cefc1df2e8bb39e534e
MD5 hash: 3f5e18655426b5ffc62d65048187dfdc
humanhash: fish-oregon-april-double
File name:zloader 2_1.1.18.0.vir
Download: download sample
Signature ZLoader
File size:283'136 bytes
First seen:2020-07-19 17:22:40 UTC
Last seen:2020-07-19 19:16:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d0883dbf35719dce4d7968ab9d3fd69a
ssdeep 6144:7wKFfRUgx14SK2OyUGrHUw5JTBqmQPYUHeGgXUaOtsBV1RLA:77i+14SxCCHUwhVQAU7gkaGsb
TLSH C654E071B91889B1F4260E74CC38E5D284A87D848B7085677AFA3E4FBF745C09D21B7A
Reporter @tildedennis
Tags:ZLoader zloader 2


Twitter
@tildedennis
zloader 2 version 1.1.18.0

Intelligence


File Origin
# of uploads :
2
# of downloads :
17
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
ZLoader
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247089 Sample: zloader 2_1.1.18.0.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 72 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected ZLoader 2->22 24 Machine Learning detection for sample 2->24 6 loaddll32.exe 1 2->6         started        process3 dnsIp4 16 1.1.18.0 CLOUDFLARENETUS China 6->16 9 rundll32.exe 6->9         started        12 rundll32.exe 6->12         started        14 rundll32.exe 6->14         started        process5 signatures6 26 Found potential dummy code loops (likely to delay analysis) 9->26
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-03-26 02:08:20 UTC
AV detection:
20 of 31 (64.52%)
Threat level
  2/5
Result
Malware family:
zloader
Score:
  10/10
Tags:
trojan botnet family:zloader persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
Extraction:
https://aquolepp.pw/milagrecf.php
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments