MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38115c7bdc10cc2981e9ab126d98f5ccab66a4d4d787b90a704ba3823b07fb67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 38115c7bdc10cc2981e9ab126d98f5ccab66a4d4d787b90a704ba3823b07fb67
SHA3-384 hash: fd93823cef043de1f6773c674e4b4b02f19cc339cf30a36f25cc81ded2fac30cb1fcaf38eea96840f36a1192537b9d20
SHA1 hash: de323c3e4f362739cc6cf0a9989fbde6633d3bd5
MD5 hash: a233e89a46b954cd46e6d543b96fd884
humanhash: coffee-butter-hot-robert
File name:zloader 2_1.0.18.0.vir
Download: download sample
Signature ZLoader
File size:458'752 bytes
First seen:2020-07-19 17:22:15 UTC
Last seen:2020-07-19 19:16:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9c48e134ef0c7df8d9348f63c095309e
ssdeep 12288:YsPxh4XMy2/z7uI8fb53/nq9YDRMTC/MCi:YKxiXu7n8fl3/oC/MCi
TLSH 9DA49EC038D185B1EA0955F80C0E99E3C95ABE759CF2D187B7D83A9F211B16B6A33D31
Reporter @tildedennis
Tags:ZLoader zloader 2


Twitter
@tildedennis
zloader 2 version 1.0.18.0

Intelligence


File Origin
# of uploads :
2
# of downloads :
17
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
ZLoader
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247103 Sample: zloader 2_1.0.18.0.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for domain / URL 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for dropped file 2->37 39 4 other signatures 2->39 7 loaddll32.exe 1 2->7         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 dnsIp4 29 1.0.18.0 VECTANTARTERIANetworksCorporationJP Japan 7->29 14 rundll32.exe 7->14         started        17 rundll32.exe 7->17         started        19 rundll32.exe 10->19         started        21 rundll32.exe 12->21         started        process5 signatures6 41 Contains functionality to inject code into remote processes 14->41 43 Writes to foreign memory regions 14->43 45 Allocates memory in foreign processes 14->45 23 msiexec.exe 3 25 14->23         started        process7 dnsIp8 31 soficatan.site 23->31 27 C:\Users\user\AppData\...\caycfyfy.dll, PE32 23->27 dropped file9
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-02-25 01:40:36 UTC
AV detection:
21 of 31 (67.74%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Behaviour
JavaScript code in executable
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments