MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b0d2be4d9cce9d75ca447d998c529cb3bf68cf81403d9417fd8c9922cfe6fb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b0d2be4d9cce9d75ca447d998c529cb3bf68cf81403d9417fd8c9922cfe6fb5
SHA3-384 hash: 50087d1476cf3e3bfb38965f3eda7fec4a3177a618b1f343a2809472a54752203e23cad544bb4892969466dfee4124b6
SHA1 hash: d542f7f54ab80254cb84100b5e96649740e0f9ac
MD5 hash: 4f52a0bf2e278c348fcc090bfcf2b0c2
humanhash: potato-tango-early-white
File name:4f52a0bf2e278c348fcc090bfcf2b0c2.exe
Download: download sample
Signature ZLoader
Create hunting rule
File size:404'992 bytes
First seen:2020-09-10 05:42:31 UTC
Last seen:2020-09-10 06:43:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:RbiineiyBCsAbYnSmJwQIOIsklsZeyW6CMFrgxztLQsLdN:R+inFsCMnSmJBQsktsCMF8xqC
Threatray 6 similar samples on MalwareBazaar
TLSH FF84E0A5765C0903EDE9ADF54C9122110EA4A41B7E1FE381BAC6189637F1BC04BFDE1B
Reporter abuse_ch
Tags:exe ZLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/58288/
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.232794.19531.29694.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/462854
Signature
Allocates memory in foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 283825 Sample: mqRxsAsXVC.exe Startdate: 10/09/2020 Architecture: WINDOWS Score: 56 19 Multi AV Scanner detection for submitted file 2->19 7 mqRxsAsXVC.exe 3 2->7         started        process3 file4 17 C:\Users\user\AppData\...\mqRxsAsXVC.exe.log, ASCII 7->17 dropped 10 mqRxsAsXVC.exe 7->10         started        13 mqRxsAsXVC.exe 7->13         started        process5 signatures6 21 Writes to foreign memory regions 10->21 23 Allocates memory in foreign processes 10->23 15 msiexec.exe 10->15         started        process7
Detection:
zloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5b0d2be4d9cce9d75ca447d998c529cb3bf68cf81403d9417fd8c9922cfe6fb5/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-10 00:02:42 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmgsxzgzztu5oxfei7mzrrjjzm57ndhycqb5sql73dezelh6n62q._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
4a98d46de3bd022d30b403013cd03c5142cf01341bf18e76e487311a8bbee252
ZLoader
6679da77917ddc1ab75c7f05dee0701d172ff0bfc6a7cd92d4c73a66c877a7d8
ZLoader
6943af74133b5003dd39c65473d54749c131536d8fd773801de2e80ede8e0c0a
ZLoader
b866a18458d22f3c362eb9db308ccbbe80ad1a1ef04d9f1c8ba6d3c66ccd4971
ZLoader
c91229d90c423cd5b5bf870cec714e5c956058c62f4b2036607d44f1767c50d2
ZLoader
d2f0049cd462aa2fadc04698f15209d5f31c185d3b99f71e8f564f20ae9b9d51
ZLoader
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
trojan botnet family:zloader
Link:
https://tria.ge/reports/200910-jkh84867wn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blacklisted process makes network request
Suspicious use of NtCreateUserProcessOtherParentProcess
Zloader, Terdot, DELoader, ZeusSphinx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b0d2be4d9cce9d75ca447d998c529cb3bf68cf81403d9417fd8c9922cfe6fb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_zloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

Executable exe 5b0d2be4d9cce9d75ca447d998c529cb3bf68cf81403d9417fd8c9922cfe6fb5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/453403/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/58288/

Comments