MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 2


Intelligence 2 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89
SHA3-384 hash: 8d3680e2410cfcf043e1a67ddce592bba6d72fe82afbf288ff3d6de851f084989ec08548731d9e790b3481148a551464
SHA1 hash: 853118cbf783b537074f33d3e7b7d4a08c980432
MD5 hash: 3f50f8a6beb3d3fb0814743d7d1d6afb
humanhash: football-fourteen-angel-helium
File name:xQWh.html
Download: download sample
Signature ZLoader
Create hunting rule
File size:350'208 bytes
First seen:2021-01-20 17:09:08 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 6144:bmLWmGvz0ftVg+2s+3EwDGrNNvfQPvNxYAKjAwbcGGbSk:bmLWv01bcGrNNveNqAKjAwjGb9
TLSH 29742310F3B50503DBB7B8BA18D84BF2C387CC496519B299225439369DF1F88FA79798
Reporter ffforward
Tags:ZLoader

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Application name is Microsoft Excel
Office document is in OLE format
Office document is in encrypted
OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
14096 bytesDocumentSummaryInformation
24096 bytesSummaryInformation
3337899 bytesWorkbook

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
xQWh.html
Verdict:
No threats detected
Analysis date:
2021-01-20 17:12:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f42703a-2791-49f6-beef-f6ef614de4d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
Suspicious
File Type:
Encrypted Office File
Link:
https://app.docguard.net/52d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89/results/dashboard
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
0 / 100
Link:
https://www.joesandbox.com/analysis/586485
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89/
Result
Malware family:
n/a
Score:
  5/10
Tags:
ransomware
Link:
https://tria.ge/reports/210120-59qt4xl4wa/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/52d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZLoader

Word file docm 91aa050536d834947709776af40c2fde49471d28231de50df0d324cd55101df4

ZLoader

Excel file xlsx 52d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/972497/
  
Dropped by
SHA256 91aa050536d834947709776af40c2fde49471d28231de50df0d324cd55101df4
  
Delivery method
Distributed via web download

Comments