MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67773bd7bf1720493b3dd438a8d2959412dd9a4381a646d3e7278e73e18e102d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67773bd7bf1720493b3dd438a8d2959412dd9a4381a646d3e7278e73e18e102d
SHA3-384 hash: 7f1ea27ad7208e19df679375a44744f37a5207788a571dcd442e2afd7bbdaaa2e01a952aec4229477ee9ab4f95496dde
SHA1 hash: c452a21329b8342f89b3fd4231202593bdc61cc9
MD5 hash: 2ab7d17b2b4a085364a15e473a1abf03
humanhash: eleven-monkey-one-kansas
File name:H3ifYE5.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:344'576 bytes
First seen:2021-03-01 18:04:13 UTC
Last seen:2021-03-01 20:12:33 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash bf125c048e78e080a3da3f9c9a66b573 (1 x ZLoader)
ssdeep 6144:dFI7uYz8l35fRY3Aa542fzKyfg4DR1M1CYR8llNzI:dFI7uy8vJPamiz9f5rKa
Threatray 5 similar samples on MalwareBazaar
TLSH 4D74BE05B26AC4B3E03594B8EC10C6FD5ADD3C51CD689863BAD62F1FB97F8509626233
Reporter ffforward
Tags:dll nut ZLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120349/
Detection(s):
SecuriteInfo.com.StaticAI-SuspiciousPE.1111.2535.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/622644
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Machine Learning detection for sample
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 360313 Sample: H3ifYE5.dll Startdate: 01/03/2021 Architecture: WINDOWS Score: 56 40 Machine Learning detection for sample 2->40 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 regsvr32.exe 8->13         started        15 cmd.exe 1 8->15         started        signatures5 42 Contains functionality to inject code into remote processes 10->42 44 Writes to foreign memory regions 10->44 46 Allocates memory in foreign processes 10->46 17 msiexec.exe 2 29 10->17         started        21 msiexec.exe 2 13->21         started        23 iexplore.exe 2 84 15->23         started        process6 dnsIp7 30 bentalks.co.ke 197.248.5.24, 443, 49762 SafaricomKE Kenya 17->30 28 C:\Users\user\AppData\Roaming\Ozpa\elyv.dll, PE32 17->28 dropped 32 192.168.2.1 unknown unknown 23->32 25 iexplore.exe 5 151 23->25         started        file8 process9 dnsIp10 34 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49744, 49745 YAHOO-DEBDE United Kingdom 25->34 36 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49739, 49740 FASTLYUS United States 25->36 38 10 other IPs or domains 25->38
Detection:
zloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/67773bd7bf1720493b3dd438a8d2959412dd9a4381a646d3e7278e73e18e102d/
Verdict:
malicious
Label(s):
zloader
Create hunting rule
gozi
Create hunting rule
Similar samples:
22a0ceb74f566484220466e975d4fa835f4edf6279f9426f36498d8aa3337017
ZLoader
34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1
ZLoader
5c5c8af2a703aa1842f4ce9f9e83aeeac0e2cc2d3ed1bf9f9ad72b7f77e89a42
ZLoader
8e50da51386c2f267afaf1a419e4467d62c01c9704f0e17c4aa188d0c090c8b2
ZLoader
bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c
ZLoader
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:nut campaign:01/03 botnet trojan
Link:
https://tria.ge/reports/210301-2z7mfkeysa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://bentalks.co.ke/post.php
https://karhandlafarm.com/post.php
https://www.moinamakeup.com/post.php
https://miramaminerals.com/post.php
https://fermin.pe/post.php
https://talk2point.com/post.php
https://enpikilenlya.gq/post.php
Unpacked files
SH256 hash:
1f91ac00400f643e722f6e64e061372d2a06d0ce3db8e3d9bf8e61380a965e45
MD5 hash:
5b976ffa91ba9a8315090ae24d0483c9
SHA1 hash:
ab24d82e707929648da91f3863a171293802bfcb
Link:
https://www.unpac.me/results/1278b576-f85e-4c52-865d-d0c7c96fb036/
SH256 hash:
67773bd7bf1720493b3dd438a8d2959412dd9a4381a646d3e7278e73e18e102d
MD5 hash:
2ab7d17b2b4a085364a15e473a1abf03
SHA1 hash:
c452a21329b8342f89b3fd4231202593bdc61cc9
Link:
https://www.unpac.me/results/1278b576-f85e-4c52-865d-d0c7c96fb036/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67773bd7bf1720493b3dd438a8d2959412dd9a4381a646d3e7278e73e18e102d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_zloader_a0
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects Zloader Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

Excel file xls 409c0fdd23e87d2181aed6a283d83cdeaa1b7fbb685df01b5358febb0d09c8b8

ZLoader

DLL dll 67773bd7bf1720493b3dd438a8d2959412dd9a4381a646d3e7278e73e18e102d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1040770/
  
Dropped by
SHA256 409c0fdd23e87d2181aed6a283d83cdeaa1b7fbb685df01b5358febb0d09c8b8
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1040694/
Cape
Cape
https://www.capesandbox.com/analysis/120349/

Comments