MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059
SHA3-384 hash: 62f4de59ef28c19e7e0ba83f4cea41cf311cc0955d26934fbe736cc25db7325db70f4b413e3b705f73b491947b090733
SHA1 hash: 17c0d629b7a2f940e7a69f1120582cf89f70355a
MD5 hash: aac2b6314988e0aea824fe0a53b917c1
humanhash: romeo-six-social-delta
File name:aac2b6314988e0aea824fe0a53b917c1.exe
Download: download sample
Signature ZLoader
Create hunting rule
File size:168'960 bytes
First seen:2021-08-06 06:33:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 68 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:4ahKyd2n31d5GWp1icKAArDZz4N9GhbkrNEkbTX2rv:4ahO1p0yN90QEr
Threatray 78 similar samples on MalwareBazaar
TLSH T1E0F37C0B63F82066E4B5937459F202C35932BD715B3882EF128E997E1E336E0B631B57
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aac2b6314988e0aea824fe0a53b917c1.exe
Verdict:
No threats detected
Analysis date:
2021-08-06 06:36:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8c6de33a-dfaa-4428-a018-d8937e54c1e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176907/
Detection(s):
SecuriteInfo.com.BAT.TrojanDownloader.Agent.OIR.7563.13161.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f458c256-4eb5-4e94-8d9b-24ae68bd5f86
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/828117
Signature
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Regsvr32 Anomaly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460548 Sample: svL1JN95oO.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 56 31 Multi AV Scanner detection for dropped file 2->31 33 Sigma detected: Regsvr32 Anomaly 2->33 8 svL1JN95oO.exe 1 3 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 cmd.exe 1 8->12         started        process5 14 powershell.exe 14 18 12->14         started        19 regsvr32.exe 12->19         started        21 conhost.exe 12->21         started        dnsIp6 27 gucdhwpcfjmmcefypliv.com 5.63.154.248, 443, 49718 AS-REGRU Russian Federation 14->27 25 C:\Users\user\AppData\Roaming\JavaE.dll, MS-DOS 14->25 dropped 29 Powershell drops PE file 14->29 23 regsvr32.exe 1 19->23         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-05 21:16:42 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
06f39b7745fc370b817fc6f4ba226ac2f39994bf7da7296a99feb68d730ed174
ZLoader
12e5c221195f7d0a47b98b5d5fff26ea8fc4ad4f76f1c21f47e3a73102f18c59
ZLoader
2aad576a107cd5cb031c13a85f8403a3b0e377a608a1af77f6e5607295bd54eb
ZLoader
481af12b4e027b76b68c817c3cb806291f52042d3b5dce2e9f073408f596e206
ZLoader
607a091d00b4660179f3b9c85bf1cd66edf3a2bc6bfcd794e60030b67363464c
ZLoader
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05
ZLoader
9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b
ZLoader
b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2
ZLoader
cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6
ZLoader
f1b22c0b6c144d82a0e470b2c6a649135a4f212ade39c8135e0273ec100ff34c
ZLoader
+ 68 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:vasja campaign:vasja botnet evasion persistence trojan
Link:
https://tria.ge/reports/210806-rpm67rkccj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Unpacked files
SH256 hash:
6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059
MD5 hash:
aac2b6314988e0aea824fe0a53b917c1
SHA1 hash:
17c0d629b7a2f940e7a69f1120582cf89f70355a
Link:
https://www.unpac.me/results/ce20735d-bfe3-42db-b9d4-65ff24dd6d98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

Executable exe 6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1507330/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176907/

Comments