MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
SHA3-384 hash: f577f39452cb13c12b871bdff84c4ef2638f51e6d52736db786c9baac4e88eef43b6d7a359fc4bf6b6045b13498ace58
SHA1 hash: bc6bc3a617091a5f13dcfe134b3a55d19e8f77e6
MD5 hash: 20a3b044b6d1b39051e35269e6590c0b
humanhash: aspen-fix-magazine-twelve
File name:Mqbmupv_Signed_.exe
Download: download sample
Signature ZLoader
Create hunting rule
File size:501'768 bytes
First seen:2020-09-21 14:23:58 UTC
Last seen:2020-09-21 14:51:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 228d6011beba975d831c7dd153cc76d9 (1 x ZLoader)
ssdeep 12288:snlZ1Mo6tBT4M0nlcJlMV4VEa52GeBKEOV59O:slZytBT4fKVa52w
TLSH 93B48E27B2E08437D1633A789D0B976D9D36BE403D3868462BF82D4C9F39781752B297
Reporter James_inthe_box
Tags:exe

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Trojan.Generic-6629273-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/471318
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 288093 Sample: Mqbmupv_Signed_.exe Startdate: 21/09/2020 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 4 other signatures 2->75 9 Mqbmupv_Signed_.exe 1 2 2->9         started        process3 dnsIp4 59 cdn.discordapp.com 162.159.129.233, 443, 49724 CLOUDFLARENETUS United States 9->59 47 C:\Users\user\AppData\Local\Mqbmnet.exe, PE32 9->47 dropped 85 Writes to foreign memory regions 9->85 87 Allocates memory in foreign processes 9->87 89 Creates a thread in another existing process (thread injection) 9->89 91 Injects a PE file into a foreign processes 9->91 14 ieinstal.exe 9->14         started        17 notepad.exe 4 9->17         started        file5 signatures6 process7 signatures8 111 Modifies the context of a thread in another process (thread injection) 14->111 113 Maps a DLL or memory area into another process 14->113 115 Sample uses process hollowing technique 14->115 117 Queues an APC in another process (thread injection) 14->117 19 explorer.exe 4 14->19 injected 23 cmd.exe 1 17->23         started        25 cmd.exe 1 17->25         started        process9 dnsIp10 53 thelocaladda.com 34.102.136.180, 49754, 49755, 49756 GOOGLEUS United States 19->53 55 www.kingofinvest.com 52.58.78.16, 49757, 49758, 49759 AMAZON-02US United States 19->55 57 www.thelocaladda.com 19->57 77 System process connects to network (likely due to code injection or exploit) 19->77 27 ipconfig.exe 17 19->27         started        31 Mqbmnet.exe 19->31         started        34 control.exe 19->34         started        40 2 other processes 19->40 36 conhost.exe 23->36         started        38 conhost.exe 25->38         started        signatures11 process12 dnsIp13 49 C:\Users\user\AppData\...\9M5logrv.ini, data 27->49 dropped 51 C:\Users\user\AppData\...\9M5logri.ini, data 27->51 dropped 93 Detected FormBook malware 27->93 95 Tries to steal Mail credentials (via file access) 27->95 97 Tries to harvest and steal browser information (history, passwords, etc) 27->97 109 2 other signatures 27->109 61 162.159.134.233, 443, 49739 CLOUDFLARENETUS United States 31->61 63 cdn.discordapp.com 31->63 99 Multi AV Scanner detection for dropped file 31->99 101 Writes to foreign memory regions 31->101 103 Allocates memory in foreign processes 31->103 105 Injects a PE file into a foreign processes 31->105 42 ieinstal.exe 31->42         started        107 Tries to detect virtualization through RDTSC time measurements 34->107 65 162.159.135.233, 443, 49741 CLOUDFLARENETUS United States 40->65 67 cdn.discordapp.com 40->67 45 ieinstal.exe 40->45         started        file14 signatures15 process16 signatures17 79 Modifies the context of a thread in another process (thread injection) 42->79 81 Maps a DLL or memory area into another process 42->81 83 Sample uses process hollowing technique 42->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-09-21 00:39:03 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2wxowkly7lpwn3hmt5nrfxygckvugwhafk4b6p6wqrjt5ohrcuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader
Link:
https://tria.ge/reports/200921-gs49vny4va/
Behaviour
ModiLoader First Stage
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/103/

Comments