MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c73619ff8d5e4ed3b29b7ae71a69602df4071fd8c1029f9674e9978cdc03de9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 7c73619ff8d5e4ed3b29b7ae71a69602df4071fd8c1029f9674e9978cdc03de9
SHA3-384 hash: 1ca4daf98a09849c4fa9dbb882cb22f6980218bde5c6ee9ba3492810c25e6a8139e67e24578dc143f36ec3307c2c3866
SHA1 hash: b3668d82afdbf2995c4195973525b0b00b8e21b1
MD5 hash: 03915a1f03df164f48ac4dfd04d9c2c4
humanhash: stream-fix-hotel-bakerloo
File name:zloader_1.7.1.0.vir
Download: download sample
Signature ZLoader
File size:3'060'224 bytes
First seen:2020-07-19 19:25:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 65c9087f103e78cee79f2a030d21dd4d
ssdeep 49152:xXn6BEO9IBuoZUyq2SnaCQRjQF6/+0WzsoQOk6SdDt6DF5/iE7AnEX:5TO9IBXxqbnaCQN/R8QXvdMF5/TIEX
TLSH C9E5334F1AB7DBE0C96903723E56E8D5118F319982B256E6E41E4C7243AF231234EFD9
Reporter @tildedennis
Tags:ZLoader


Twitter
@tildedennis
zloader version 1.7.1.0

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
WarzoneRAT
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247288 Sample: zloader_1.7.1.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 38 pierin.ru 2->38 40 dayspirit.at 2->40 42 clork.ru 2->42 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 10 zloader_1.7.1.0.exe 2->10         started        signatures3 process4 dnsIp5 44 1.7.1.0 SIFY-AS-INSifyLimitedIN India 10->44 76 Detected unpacking (changes PE section rights) 10->76 78 Maps a DLL or memory area into another process 10->78 80 Sample uses process hollowing technique 10->80 14 explorer.exe 10->14         started        signatures6 process7 signatures8 90 Contains functionality to inject threads in other processes 14->90 92 Injects code into the Windows Explorer (explorer.exe) 14->92 94 Writes to foreign memory regions 14->94 96 3 other signatures 14->96 17 explorer.exe 6 7 14->17 injected process9 file10 34 C:\Users\user\AppData\Roaming\...\umekh.exe, PE32 17->34 dropped 36 C:\Users\user\...\umekh.exe:Zone.Identifier, data 17->36 dropped 52 Benign windows process drops PE files 17->52 54 Injects code into the Windows Explorer (explorer.exe) 17->54 56 Tries to harvest and steal browser information (history, passwords, etc) 17->56 58 5 other signatures 17->58 21 umekh.exe 17->21         started        24 umekh.exe 17->24         started        26 msiexec.exe 12 17->26         started        signatures11 process12 dnsIp13 64 Antivirus detection for dropped file 21->64 66 Multi AV Scanner detection for dropped file 21->66 68 Detected unpacking (changes PE section rights) 21->68 29 explorer.exe 21->29         started        70 Maps a DLL or memory area into another process 24->70 72 Sample uses process hollowing technique 24->72 32 explorer.exe 24->32         started        46 pierin.ru 26->46 48 dayspirit.at 26->48 50 clork.ru 26->50 74 Contains functionality to inject threads in other processes 26->74 signatures14 process15 signatures16 82 Writes to foreign memory regions 29->82 84 Allocates memory in foreign processes 29->84 86 Creates a thread in another existing process (thread injection) 29->86 88 Injects a PE file into a foreign processes 32->88
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2016-07-21 23:47:31 UTC
AV detection:
22 of 29 (75.86%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
NTFS ADS
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Deletes itself
Deletes itself
Reads user/profile data of web browsers
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments