MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5
SHA3-384 hash: 8bb97f071ee3f1a26bcac0bad077b273e5e93094b5e388d541a99684cdb7405bcc6a5f6424859fbcaddb225f1222fed1
SHA1 hash: edcadd564cd6ef074655165ae572af2a1ba6ef6e
MD5 hash: 2e765a8048bcd67f293f11db938e77c3
humanhash: friend-aspen-skylark-india
File name:2e765a8048bcd67f293f11db938e77c3
Download: download sample
Signature ZLoader
Create hunting rule
File size:85'929 bytes
First seen:2021-06-24 09:48:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 378c4792225854c10b4a5f5d67ecdbd2 (2 x ZLoader, 1 x Adware.PushWare, 1 x Adware.Generic)
ssdeep 1536:lTViOcRUBWC2jZP2ITQX5+e7ZnbHJNvgKWEJ4AZD6nm3ZjayurLT:lTUOPWC/IUJtZnbHJGc4w6m3ZjayILT
Threatray 4 similar samples on MalwareBazaar
TLSH 8283D01662E0E4FBC5A29F300A7A2F7A7BFAA715116503136BB09F8DBD177878C1D181
Reporter zbetcheckin
Tags:32 exe ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e765a8048bcd67f293f11db938e77c3
Verdict:
No threats detected
Analysis date:
2021-06-24 09:49:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/93d27e51-d42b-412e-9c2a-ffae13000fc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167965/
Detection(s):
SecuriteInfo.com.Trojan.KillFiles.62557.1725.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Palevo
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6f8681e-45cd-494d-9872-407f031bbad9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807360
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439772 Sample: 2qPnTEJ3ZZ Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 112 Antivirus detection for URL or domain 2->112 114 Antivirus detection for dropped file 2->114 116 Multi AV Scanner detection for dropped file 2->116 118 8 other signatures 2->118 9 2qPnTEJ3ZZ.exe 20 2->9         started        14 svchost.exe 2->14         started        16 IMediaB.exe 2->16         started        process3 dnsIp4 92 120.52.95.242 UNICOM-CNChinaUnicomIPnetworkCN China 9->92 94 101.33.10.52 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 9->94 100 3 other IPs or domains 9->100 64 C:\Users\user\...\syzs03_1000219144.exe, PE32 9->64 dropped 66 C:\Users\user\AppData\...\IMedia-553.exe, PE32 9->66 dropped 68 Fastpdf_setup_ver21042017.420.1.1.1.exe, PE32 9->68 dropped 70 3 other files (none is malicious) 9->70 dropped 128 Writes many files with high entropy 9->128 18 syzs03_1000219144.exe 7 27 9->18         started        23 IMedia-553.exe 1 13 9->23         started        25 Fastpdf_setup_ver21042017.420.1.1.1.exe 9->25         started        96 23.211.4.86 AKAMAI-ASUS United States 14->96 98 127.0.0.1 unknown unknown 14->98 file5 signatures6 process7 dnsIp8 84 58.251.106.185 UNICOM-SHENZHEN-IDCChinaUnicomGuangdongIPnetworkCN China 18->84 86 203.205.239.248 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 18->86 90 2 other IPs or domains 18->90 52 C:\Temp\TxGameDownload\...\Market.exe, PE32 18->52 dropped 54 C:\Users\user\AppData\Local\...\dr.dll, PE32 18->54 dropped 120 Query firmware table information (likely to detect VMs) 18->120 122 Contains functionality to infect the boot sector 18->122 124 Contain functionality to detect virtual machines 18->124 27 Market.exe 18->27         started        56 C:\Program Files (x86)\IMedia\Uninstall.EXE, PE32 23->56 dropped 58 C:\Program Files (x86)\IMedia\IMediaT.exe, PE32 23->58 dropped 60 C:\Program Files (x86)\...\IMediaDesk.exe, PE32 23->60 dropped 62 5 other malicious files 23->62 dropped 126 Writes many files with high entropy 23->126 31 IMediaB.exe 68 23->31         started        34 IMediaT.exe 2 23->34         started        36 IMediaDesk.exe 5 23->36         started        38 IMedia.exe 23->38         started        88 20.1.1.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->88 file9 signatures10 process11 dnsIp12 72 C:\Temp\TxGameDownload\...\wangze.1cda17f.png, PNG 27->72 dropped 74 C:\Temp\...\full-screen-buff.210e061.png, PNG 27->74 dropped 76 C:\Temp\TxGameDownload\...\bg.ac36e76.png, PNG 27->76 dropped 82 119 other files (9 malicious) 27->82 dropped 130 Writes many files with high entropy 27->130 102 59.111.181.52 NETEASE-ASGuangzhouNetEaseComputerSystemCoLtdCN China 31->102 104 40.85.113.106 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->104 106 218.12.76.163 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 31->106 78 {y399YyEUazRXbJmv2...-A20108E9C41E}}.zip, Zip 31->78 dropped 80 {BfSOmWD40n1F1ADqp...-9C4239B2D1E7}}.zip, Zip 31->80 dropped 108 192.168.2.1 unknown unknown 34->108 40 schtasks.exe 1 34->40         started        42 schtasks.exe 34->42         started        110 123.56.15.95 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 36->110 44 rundll32.exe 36->44         started        file13 signatures14 process15 process16 46 conhost.exe 40->46         started        48 conhost.exe 42->48         started        50 rundll32.exe 2 44->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 09:49:14 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
622db933ac90e44d8e45ac0fdcfecfcea9dfc6df63fe2516462ce17cae4053cd
ZLoader
83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf
ZLoader
9f8cd68021a1987bcb5115056f67fbdc12d24718e51c9103c696702512d78725
ZLoader
a761168b889a5c5ff56defeb1cedb786ffa90e3b61b6660cfc41e49b1ee638f0
ZLoader
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:zloader bootkit botnet discovery evasion infostealer persistence rat spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/210624-fwkmjwne8x/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Maps connected drives based on registry
Writes to the Master Boot Record (MBR)
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
Modifies Windows Firewall
Sets DLL path for service in the registry
VMProtect packed file
DcRat
Modifies system executable filetype association
Registers COM server for autorun
Zloader, Terdot, DELoader, ZeusSphinx
Unpacked files
SH256 hash:
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
MD5 hash:
2b342079303895c50af8040a91f30f71
SHA1 hash:
b11335e1cb8356d9c337cb89fe81d669a69de17e
Link:
https://www.unpac.me/results/93cb499d-da6a-49f0-b7db-f61eafe4a514/
SH256 hash:
393b83eea1a26874e0148e2609438f05fb59cd3172509c6c1a356e25c3b4fb17
MD5 hash:
2b2ce6a4724773710667d8e892b8d71e
SHA1 hash:
bc497b829d52d0bca139e7db9792b58a6c5ccac2
Link:
https://www.unpac.me/results/93cb499d-da6a-49f0-b7db-f61eafe4a514/
SH256 hash:
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
MD5 hash:
00a0194c20ee912257df53bfe258ee4a
SHA1 hash:
d7b4e319bc5119024690dc8230b9cc919b1b86b2
Link:
https://www.unpac.me/results/93cb499d-da6a-49f0-b7db-f61eafe4a514/
SH256 hash:
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28
MD5 hash:
254f13dfd61c5b7d2119eb2550491e1d
SHA1 hash:
5083f6804ee3475f3698ab9e68611b0128e22fd6
Link:
https://www.unpac.me/results/93cb499d-da6a-49f0-b7db-f61eafe4a514/
SH256 hash:
5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5
MD5 hash:
2e765a8048bcd67f293f11db938e77c3
SHA1 hash:
edcadd564cd6ef074655165ae572af2a1ba6ef6e
Link:
https://www.unpac.me/results/93cb499d-da6a-49f0-b7db-f61eafe4a514/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

Executable exe 5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393627/
Cape
Cape
https://www.capesandbox.com/analysis/167965/

Comments