MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35466f0c22f220890b932e59f9a21032712e8260343d13ad4c0d9560db3b638f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ZLoader

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	35466f0c22f220890b932e59f9a21032712e8260343d13ad4c0d9560db3b638f
SHA3-384 hash:	e8eebda5d0394ca12d8083944054ad9d41dbb560d58fb0e07158addd018f4a0a145e716ef78820314ffb5890d0658e3f
SHA1 hash:	1a71166669aa8810474fcb6700851175c643bd30
MD5 hash:	b8486dcef44c59a2652378724ef2a995
humanhash:	jersey-music-artist-red
File name:	wp-scan.php
Download:	download sample
Signature	ZLoader Create hunting rule
File size:	375'808 bytes
First seen:	2020-12-08 15:20:20 UTC
Last seen:	2020-12-08 20:06:24 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	47724f891c031e789968f75687614f02 (1 x ZLoader)
ssdeep	6144:H/rs7KFkpytlvsoL8nq4EupwBauULEDZ6OsV4SETZyyBWbM:frqKO8tKWpLBauU4DZ6OQdETZJBWA
Threatray	1 similar samples on MalwareBazaar
TLSH	5D84D052F9E0E039E72D52301C66EDB407A6FC006BACF99F33DD1E5F5291692B522389
Reporter	JasonMilletary
Tags:	ZLoader

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107283/

Detection(s):

SecuriteInfo.com.Generic.mg.b8486dcef44c59a2.19408.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file in the %AppData% subdirectories

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

evad

Score:

28 / 100

Link:

https://www.joesandbox.com/analysis/558081

Signature

Contains functionality to inject code into remote processes

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35466f0c22f220890b932e59f9a21032712e8260343d13ad4c0d9560db3b638f/

Verdict:

malicious

Label(s):

zloader

ZLoader

Result

Malware family:

zloader

Score:

10/10

Tags:

family:zloader botnet:nut campaign:08/12 botnet trojan

Link:

https://tria.ge/reports/201208-yz49cc2412/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blocklisted process makes network request

Zloader, Terdot, DELoader, ZeusSphinx

Malware Config

C2 Extraction:

https://nature4health.id/wp-punch.php
https://maschuquisaca.tk/wp-punch.php
https://serproimsas.com/wp-punch.php
https://agrospas.co.rs/wp-punch.php
https://fnxcrypto.com/server.php
https://lywakelireal.ga/wp-smarts.php

Unpacked files

SH256 hash:

8cde05e3ed4466b6ddb86a6ec37eefbab4e876f2d83a379ed01a924bfc75f45a

MD5 hash:

6614d82afa8f43726591c7fa66b65b28

SHA1 hash:

6c1a2421996d0f62ac5c89763a2070a0694e136e

Detections:

win_zloader_auto

Link:

https://www.unpac.me/results/f5f15cc2-036a-416a-9de4-085ec7686289/

SH256 hash:

35466f0c22f220890b932e59f9a21032712e8260343d13ad4c0d9560db3b638f

MD5 hash:

b8486dcef44c59a2652378724ef2a995

SHA1 hash:

1a71166669aa8810474fcb6700851175c643bd30

Link:

https://www.unpac.me/results/f5f15cc2-036a-416a-9de4-085ec7686289/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nymaim

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/35466f0c22f220890b932e59f9a21032712e8260343d13ad4c0d9560db3b638f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_zloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/107283/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample