MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c0f9c9babc640a2578b1d3e8cacb60df32a0437ef3f9383d00ed88a7cef3a62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c0f9c9babc640a2578b1d3e8cacb60df32a0437ef3f9383d00ed88a7cef3a62
SHA3-384 hash: afe6d3afd4b778d1f37e9d5ff94c531d81ac55ccd232666745ab49c9f0e19268d24d77c47002519894f0c6344400d4c4
SHA1 hash: 6a0b90e9b0861cb42fecd217651d25c2e9eabf7d
MD5 hash: 7cff1113d30b8e4cd51ba13f40b9d2d5
humanhash: tennessee-indigo-colorado-five
File name:SecuriteInfo.com.FileRepMalware.31175
Download: download sample
Signature ZLoader
Create hunting rule
File size:279'040 bytes
First seen:2021-01-22 20:01:57 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 4049e1d3ab0b71bd0c6b9caa9bb2d19a (1 x ZLoader)
ssdeep 6144:1/oqv+z4/KDhYxNzQkR6sfPliEC3iNEt0Filb0ilBQY+Wj:1/dv+z45QkRZfPlTC3iNbFcoiTbj
Threatray 4 similar samples on MalwareBazaar
TLSH 84549D11B9C0F038E75E03305C6AFDA906A9BC159BE9FD4F33C91E4F94A2292F1127A5
Reporter SecuriteInfoCom
Tags:ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113554/
Detection(s):
SecuriteInfo.com.FileRepMalware.31175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/588664
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c0f9c9babc640a2578b1d3e8cacb60df32a0437ef3f9383d00ed88a7cef3a62/
Threat name:
Win32.Downloader.Zload
Create hunting rule
Status:
Malicious
First seen:
2021-01-22 20:02:06 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqhzzg5lyzakev4ldu7izlfwbxzsubbx547zha6qb3miu7hphjra._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
35466f0c22f220890b932e59f9a21032712e8260343d13ad4c0d9560db3b638f
ZLoader
4b0c5b4530a9218d6030a7040a10ea5be84ffa3696601732ee7212691521474f
ZLoader
78c4bc3ae3153ba126c58e5cf86f254468c8ff422971ea3923502bfa3de8ad0b
ZLoader
d56060acb8115119810ae3aca151e94cbe5e2459dd405c8f010ced5a25c8548a
ZLoader
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:vek campaign:22/01 botnet trojan
Link:
https://tria.ge/reports/210122-etjn9kh2ps/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://groceryasian.com/post.php
https://forteanhub.com/post.php
https://conssapratigdevi.tk/post.php
Unpacked files
SH256 hash:
1900c73b34500e751376511ccf20004dcddcd06d3c56c55eba5e278e706c74bd
MD5 hash:
0bf065a28e13c15ab75db7ee99c5f151
SHA1 hash:
98fae3227de830e85eb90be5fa445a8cda503ca7
Detections:
win_zloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e40e4e4-ccf0-4e7a-af54-75dd68ae758a/
SH256 hash:
5c0f9c9babc640a2578b1d3e8cacb60df32a0437ef3f9383d00ed88a7cef3a62
MD5 hash:
7cff1113d30b8e4cd51ba13f40b9d2d5
SHA1 hash:
6a0b90e9b0861cb42fecd217651d25c2e9eabf7d
Link:
https://www.unpac.me/results/7e40e4e4-ccf0-4e7a-af54-75dd68ae758a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c0f9c9babc640a2578b1d3e8cacb60df32a0437ef3f9383d00ed88a7cef3a62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HiddenVNC
Create hunting rule
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_zloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

DLL dll 5c0f9c9babc640a2578b1d3e8cacb60df32a0437ef3f9383d00ed88a7cef3a62

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/974230/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113554/

Comments