MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf
SHA3-384 hash: e3b008a6aa44a006c3eb38fefb69dde0fa8bb8f1bc841bd7835e39c840d884cd68d4f3a353c4e98110edfa707a359024
SHA1 hash: f8bdc43c739668087d3d754587c62e2498a45559
MD5 hash: bfcff5e7e6343d0d16a52eddf28d7e59
humanhash: black-nitrogen-ohio-bulldog
File name:bfcff5e7e6343d0d16a52eddf28d7e59
Download: download sample
Signature ZLoader
Create hunting rule
File size:85'945 bytes
First seen:2021-06-24 08:31:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 378c4792225854c10b4a5f5d67ecdbd2 (2 x ZLoader, 1 x Adware.PushWare, 1 x Adware.Generic)
ssdeep 1536:lTViOcRUBWC2jZP2ITQX5+e7ZnbHJNk/jFydDEJ4AZD6nm3ZjayurLx:lTUOPWC/IUJtZnbHJy/wBc4w6m3Zjayw
Threatray 2 similar samples on MalwareBazaar
TLSH 3083D01662D1E8FBC9928F300A7A2F3AABFAA725101943533BB19F9DBD173478C1D141
Reporter zbetcheckin
Tags:32 exe ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bfcff5e7e6343d0d16a52eddf28d7e59
Verdict:
No threats detected
Analysis date:
2021-06-24 08:37:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/09144abb-feb1-4555-bc20-667610a6cb75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167911/
Detection(s):
SecuriteInfo.com.Trojan.KillFiles.62557.1725.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52fead3b-4a43-4504-8447-945c3ff301fb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807281
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to register a low level keyboard hook
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439692 Sample: AUg4zbbjo6 Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 134 Antivirus detection for URL or domain 2->134 136 Antivirus detection for dropped file 2->136 138 Multi AV Scanner detection for dropped file 2->138 140 5 other signatures 2->140 9 AUg4zbbjo6.exe 20 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 9 1 2->16         started        18 7 other processes 2->18 process3 dnsIp4 124 203.205.224.59 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 9->124 126 163.171.130.136 QUANTILNETWORKSUS European Union 9->126 132 4 other IPs or domains 9->132 78 C:\Users\user\...\syzs03_1000219144.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\pic_soft45181.exe, PE32 9->80 dropped 82 C:\Users\user\AppData\...\IMedia-553.exe, PE32 9->82 dropped 84 3 other files (1 malicious) 9->84 dropped 152 Writes many files with high entropy 9->152 20 syzs03_1000219144.exe 9->20         started        25 pic_soft45181.exe 7 9->25         started        27 IMedia-553.exe 9->27         started        154 Changes security center settings (notifications, updates, antivirus, firewall) 14->154 128 23.211.4.86 AKAMAI-ASUS United States 16->128 130 127.0.0.1 unknown unknown 16->130 file5 signatures6 process7 dnsIp8 118 58.251.106.185 UNICOM-SHENZHEN-IDCChinaUnicomGuangdongIPnetworkCN China 20->118 120 203.205.235.218 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 20->120 122 4 other IPs or domains 20->122 60 C:\Temp\TxGameDownload\...\Market.exe, PE32 20->60 dropped 62 C:\Users\user\AppData\Local\...\dr.dll, PE32 20->62 dropped 142 Query firmware table information (likely to detect VMs) 20->142 144 Contains functionality to infect the boot sector 20->144 146 Contain functionality to detect virtual machines 20->146 29 Market.exe 20->29         started        64 C:\Users\user\AppData\Local\...\Install.exe, PE32 25->64 dropped 66 C:\Users\user\AppData\Local\Temp\...\pic.7z, 7-zip 25->66 dropped 74 2 other files (none is malicious) 25->74 dropped 148 Contains functionality to register a low level keyboard hook 25->148 150 Writes many files with high entropy 25->150 33 Install.exe 9 38 25->33         started        68 C:\Program Files (x86)\IMedia\IMediaT.exe, PE32 27->68 dropped 70 C:\Program Files (x86)\...\IMediaDesk.exe, PE32 27->70 dropped 72 C:\Program Files (x86)\IMedia\IMediaB.exe, PE32 27->72 dropped 76 5 other files (4 malicious) 27->76 dropped 36 IMediaB.exe 27->36         started        38 IMediaT.exe 27->38         started        40 IMediaDesk.exe 27->40         started        42 IMedia.exe 27->42         started        file9 signatures10 process11 dnsIp12 90 C:\Temp\TxGameDownload\...\wangze.1cda17f.png, PNG 29->90 dropped 92 C:\Temp\...\full-screen-buff.210e061.png, PNG 29->92 dropped 94 C:\Temp\TxGameDownload\...\bg.ac36e76.png, PNG 29->94 dropped 104 119 other files (9 malicious) 29->104 dropped 160 Writes many files with high entropy 29->160 108 116.62.163.137 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 33->108 96 C:\Users\user\AppData\Local\...\update.exe, PE32 33->96 dropped 98 C:\Users\user\AppData\Local\Temp\...\wke.dll, PE32 33->98 dropped 106 10 other files (none is malicious) 33->106 dropped 162 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->162 164 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->164 166 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->166 168 Contains functionality to infect the boot sector 33->168 44 update.exe 166 33->44         started        110 120.52.95.234 UNICOM-CNChinaUnicomIPnetworkCN China 36->110 112 59.111.181.52 NETEASE-ASGuangzhouNetEaseComputerSystemCoLtdCN China 36->112 116 2 other IPs or domains 36->116 100 {H7xGHGH2ef4g5Hu76...-3F570286AEE8}}.zip, Zip 36->100 dropped 102 {813a612fRN170UwCE...-33697600C04C}}.zip, Zip 36->102 dropped 48 schtasks.exe 38->48         started        50 schtasks.exe 38->50         started        114 123.56.15.95 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 40->114 52 rundll32.exe 40->52         started        file13 signatures14 process15 file16 86 C:\Users\user\AppData\...\Secure Preferences, UTF-8 44->86 dropped 88 C:\Users\user\AppData\Local\...\Preferences, ASCII 44->88 dropped 156 Contains functionality to infect the boot sector 44->156 158 Tries to harvest and steal browser information (history, passwords, etc) 44->158 54 conhost.exe 48->54         started        56 conhost.exe 50->56         started        58 rundll32.exe 52->58         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 08:31:19 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
9f8cd68021a1987bcb5115056f67fbdc12d24718e51c9103c696702512d78725
ZLoader
b16f70ce3e83c6ea75a0e6dd38d28ea04192f237f9da8c53a28ce6acb886384f
ZLoader
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader bootkit botnet discovery evasion persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/210624-hbenn1z1mx/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Maps connected drives based on registry
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
Sets DLL path for service in the registry
VMProtect packed file
Modifies system executable filetype association
Registers COM server for autorun
Zloader, Terdot, DELoader, ZeusSphinx
Unpacked files
SH256 hash:
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
MD5 hash:
00a0194c20ee912257df53bfe258ee4a
SHA1 hash:
d7b4e319bc5119024690dc8230b9cc919b1b86b2
Link:
https://www.unpac.me/results/97e62117-055f-4103-8620-5f73e1576f12/
SH256 hash:
393b83eea1a26874e0148e2609438f05fb59cd3172509c6c1a356e25c3b4fb17
MD5 hash:
2b2ce6a4724773710667d8e892b8d71e
SHA1 hash:
bc497b829d52d0bca139e7db9792b58a6c5ccac2
Link:
https://www.unpac.me/results/97e62117-055f-4103-8620-5f73e1576f12/
SH256 hash:
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28
MD5 hash:
254f13dfd61c5b7d2119eb2550491e1d
SHA1 hash:
5083f6804ee3475f3698ab9e68611b0128e22fd6
Link:
https://www.unpac.me/results/97e62117-055f-4103-8620-5f73e1576f12/
SH256 hash:
83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf
MD5 hash:
bfcff5e7e6343d0d16a52eddf28d7e59
SHA1 hash:
f8bdc43c739668087d3d754587c62e2498a45559
Link:
https://www.unpac.me/results/97e62117-055f-4103-8620-5f73e1576f12/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

Executable exe 83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393627/
Cape
Cape
https://www.capesandbox.com/analysis/167911/

Comments