MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c5c8af2a703aa1842f4ce9f9e83aeeac0e2cc2d3ed1bf9f9ad72b7f77e89a42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c5c8af2a703aa1842f4ce9f9e83aeeac0e2cc2d3ed1bf9f9ad72b7f77e89a42
SHA3-384 hash: c2b0e43f3debdc48dba54c8c3c9a32fb85276c141fad5373b7311332f3ee6a8b81b462ad79fa3f30e74ffb0b64892b69
SHA1 hash: 1546aed93ddf813d13635664470454bf40d89056
MD5 hash: be211fc134a945398f96e3cfe8ac0acd
humanhash: jupiter-sad-aspen-hot
File name:r.php
Download: download sample
Signature ZLoader
Create hunting rule
File size:450'560 bytes
First seen:2020-12-02 17:38:51 UTC
Last seen:2020-12-02 20:04:16 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3cd7e6f920782c8e412d592247f4ec0a (1 x ZLoader)
ssdeep 12288:HJVwm6u6Hs0lnzTwVVhJf9zXKqiR+M1nrJ:Am6DbTwVN9zXfFmrJ
Threatray 13 similar samples on MalwareBazaar
TLSH 44A4CF80B693C072E47E08714C6DCB96827D3D511A6DB95B32CCAE2F6F34495AD38DE2
Reporter JasonMilletary
Tags:ZLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106442/
Detection(s):
SecuriteInfo.com.Gen.NN.ZedlaF.34670.Bu8@aesecxei.27130.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Replacing files
Delayed writing of the file
Delayed reading of the file
Launching a process
Creating a file in the %AppData% subdirectories
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/553879
Signature
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c5c8af2a703aa1842f4ce9f9e83aeeac0e2cc2d3ed1bf9f9ad72b7f77e89a42/
Threat name:
Win32.Trojan.Zeus
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 17:39:05 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lroiv4vhaovbqqxuz2pz5a5o5laoftbnh3i37h4224vx657itjba._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
0f93dbbf41211dea54f14444e0a9cadf32f66b92b104e1ed9feb577cf5f566df
ZLoader
127f3ba9309ea74bcb607dd22722b341efe43552c6c0eec22f05ef7c396b1c17
ZLoader
34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1
ZLoader
3bf8fbdad095013493d1b90f5c82880dc57145dfbb54fdf225ded88ba6b1618b
ZLoader
3cb17bcbb2716fa6af2fdac51325307ee214938f4c4b1f9ff3bc5b202bb487ff
ZLoader
4b0c5b4530a9218d6030a7040a10ea5be84ffa3696601732ee7212691521474f
ZLoader
740577fb4e542f8f73b104ecf8e6890fc5ee3842f5393a9ce728117b11e7d7b3
ZLoader
b20178e587cebb3efb668161c459daa45c2e6c6d4177e6f4b4a6a298afaa38d9
ZLoader
ec0d163186da154a259c723f830735619d5bf6f80b8aa94390a6c1c4e2d60730
ZLoader
f28dd082013ee7df2f5956c4e8791e863e575aa64071af9a910826bc12d27acb
ZLoader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:nut campaign:02/12 botnet trojan
Link:
https://tria.ge/reports/201202-ff2b8wv312/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blacklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://www.alhasanatbooks.com/reader.php
https://aflim.org.ng/wp-punch.php
https://sardarmohammad.com/reports.php
https://erikarabelo.com.br/server.php
https://thechapelofthehealingcross.org/java.php
https://grebcanualcwilfprofal.ml/wp-smarts.php
Unpacked files
SH256 hash:
5c5c8af2a703aa1842f4ce9f9e83aeeac0e2cc2d3ed1bf9f9ad72b7f77e89a42
MD5 hash:
be211fc134a945398f96e3cfe8ac0acd
SHA1 hash:
1546aed93ddf813d13635664470454bf40d89056
Link:
https://www.unpac.me/results/15ca322b-f9f2-4a00-bb25-3182b3b81429/
SH256 hash:
96d880201211399aaf62c0f7a08930512688b69645bbfa6c7a9889753a00f70c
MD5 hash:
d43df14a3ca7213778b5ce840dc22d50
SHA1 hash:
0dd005493404f6054659d00361d7642ff3690a59
Detections:
win_zloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/15ca322b-f9f2-4a00-bb25-3182b3b81429/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c5c8af2a703aa1842f4ce9f9e83aeeac0e2cc2d3ed1bf9f9ad72b7f77e89a42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_zloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106442/

Comments