MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3428603e92a29c1d256f2d0d3c74d8dd9f8ea3eb7f56cc5204ce035395c1e3e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 3428603e92a29c1d256f2d0d3c74d8dd9f8ea3eb7f56cc5204ce035395c1e3e3
SHA3-384 hash: ae2f4574b816f61c6547e6cb8d5bfdc6c92f78a244462ee41338a67d774c6c3757214e79d2064fec0ae2f516194be665
SHA1 hash: b825619c830b8da429cc83f526d4b88867c6308f
MD5 hash: 97d3b83e66faa406dcc2ce87131edafc
humanhash: whiskey-coffee-video-solar
File name:zloader 2_1.0.11.1.vir
Download: download sample
Signature ZLoader
File size:451'584 bytes
First seen:2020-07-19 19:37:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23218ebce6c3ad08ccfe066c07198368
ssdeep 6144:P8xirOVecpRhPDnkSA36D/5u5QqB4/6UXiB4jkQ0tjNKM:/JmDnFA3e5u676AF4Fb
TLSH 90A46A00A12AC578FAE541FA8FBA4DFCE71EE5E8830950C761D5D099626CBF53B37212
Reporter @tildedennis
Tags:ZLoader zloader 2


Twitter
@tildedennis
zloader 2 version 1.0.11.1

Intelligence


File Origin
# of uploads :
1
# of downloads :
18
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247417 Sample: zloader 2_1.0.11.1.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 29 isfjiaaodwsoi.com 2->29 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Detected unpacking (changes PE section rights) 2->45 47 3 other signatures 2->47 8 haeh.exe 2->8         started        11 zloader 2_1.0.11.1.exe 2->11         started        14 haeh.exe 2->14         started        signatures3 process4 dnsIp5 49 Antivirus detection for dropped file 8->49 51 Multi AV Scanner detection for dropped file 8->51 53 Detected unpacking (changes PE section rights) 8->53 57 2 other signatures 8->57 16 haeh.exe 8->16         started        35 1.0.11.1 CLOUDFLARENETUS China 11->35 55 Injects a PE file into a foreign processes 11->55 18 zloader 2_1.0.11.1.exe 11->18         started        21 haeh.exe 14->21         started        signatures6 process7 signatures8 37 Writes to foreign memory regions 18->37 39 Allocates memory in foreign processes 18->39 23 msiexec.exe 3 25 18->23         started        process9 dnsIp10 31 isfjiaaodwsoi.com 23->31 33 ifjedssofllvcr.com 23->33 27 C:\Users\user\AppData\Roaming\...\haeh.exe, PE32 23->27 dropped file11
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2020-01-16 07:34:00 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
zloader
Score:
  10/10
Tags:
trojan botnet family:zloader persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
Extraction:
https://ifjedssofllvcr.com/jbYm9bt/NlGkb4ivk.php
https://isfjiaaodwsoi.com/jbYm9bt/NlGkb4ivk.php
https://mslfiedjssfdes.com/jbYm9bt/NlGkb4ivk.php
https://sifeiwdjiesde.com/jbYm9bt/NlGkb4ivk.php
https://sldeodjiweiswi.com/jbYm9bt/NlGkb4ivk.php
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments