MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26f356831f0c6b818a25114e232966ed68586c583128850b8680abdb860862fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26f356831f0c6b818a25114e232966ed68586c583128850b8680abdb860862fd
SHA3-384 hash: 362b445d3205a67496ec0f94a628cad9c96fd6aa7ba86ea86552a3c9cbf73c55aea1f8d60e0d068e146a5aa7bf0738f7
SHA1 hash: 0ac21a2fa87bb2f379a5729885416435ba42fb4e
MD5 hash: ad01ca44bf634c79fa7358e3a5094fe8
humanhash: wolfram-kilo-moon-island
File name:9092.exe
Download: download sample
Signature ZLoader
Create hunting rule
File size:155'648 bytes
First seen:2022-01-06 10:52:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f26f5bea701561745dea20a33c88cd5f (2 x ZLoader, 1 x Gozi)
ssdeep 3072:H29+hIl2epp1P5GWp1icKAArDZz4N9GhbkrNEk1Zz:WwAZp0yN90QEC
Threatray 246 similar samples on MalwareBazaar
TLSH T1BFE3AE5263E500F6E4BA57B099F306835A31BCA29F7883EF1395959E0E336D0B932357
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JoulK
Tags:exe ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9092.exe
Verdict:
No threats detected
Analysis date:
2022-01-06 11:04:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5fd6be37-6509-41b1-9937-87285c34d054

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217544/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.29362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61d6ca14135d97804c0f34b7/reports/b7c72691-8a36-46b9-8e09-210131ac71dd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c94486f2-e263-49d3-b4a2-23f1a157c6fe
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/916248
Signature
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548726 Sample: 9092.exe Startdate: 06/01/2022 Architecture: WINDOWS Score: 80 24 Multi AV Scanner detection for domain / URL 2->24 26 Antivirus detection for URL or domain 2->26 28 Multi AV Scanner detection for dropped file 2->28 30 2 other signatures 2->30 7 9092.exe 1 3 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        process5 13 powershell.exe 14 17 11->13         started        18 conhost.exe 11->18         started        dnsIp6 22 teamworks455.com 134.0.117.16, 443, 49722 AS-REGRU Russian Federation 13->22 20 C:\Users\user\AppData\Roaming\9092.dll, MS-DOS 13->20 dropped 32 Powershell drops PE file 13->32 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26f356831f0c6b818a25114e232966ed68586c583128850b8680abdb860862fd/
Threat name:
Win64.Trojan.Sleltasos
Create hunting rule
Status:
Malicious
First seen:
2021-12-26 13:59:31 UTC
File Type:
PE+ (Exe)
Extracted files:
36
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
ZLoader
3d030fbfbe328bc4f276d565854f89189094ddb46dc1c6d36e8e9a438227279f
ZLoader
46802842ff967e3810af08e372b0f969de57f2ed826498398c5367525fec0bc9
ZLoader
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
ZLoader
5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a
ZLoader
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
ZLoader
92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
ZLoader
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
ZLoader
eb6b810f2cb85c0a1a028c53e4c346b3ec7601d1853758c3b8ce56eac6f96be8
ZLoader
+ 236 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:9092 banker persistence trojan
Link:
https://tria.ge/reports/220106-myzajabbf3/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Gozi, Gozi IFSB
Malware Config
C2 Extraction:
http://google.mail.com
http://392184281.com
http://592182812.com
https://392184281.com
https://592182812.com
http://google.login.com
https://194.67.90.217
https://134.0.118.44
https://134.0.119.89
http://194.67.90.217
http://134.0.118.44
http://134.0.119.89
iudsahbnmddsa.com
siadujhdnmasg.com
idsaujhdndkwq.com
Unpacked files
SH256 hash:
26f356831f0c6b818a25114e232966ed68586c583128850b8680abdb860862fd
MD5 hash:
ad01ca44bf634c79fa7358e3a5094fe8
SHA1 hash:
0ac21a2fa87bb2f379a5729885416435ba42fb4e
Link:
https://www.unpac.me/results/3f8cc63a-34a7-4c58-8b4a-5089f57f6792/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26f356831f0c6b818a25114e232966ed68586c583128850b8680abdb860862fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217544/

Comments