MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b
SHA3-384 hash: 4f5502b95931c9caea0d33dabb3ec5527fc89246a6c02ba004f809d770327d43271f547bfd86dce83cb196fe6ad8b52a
SHA1 hash: 8d9b3a09a70914a0a20f42a79474abba34737206
MD5 hash: a552a092b08cd01310b87ee994a21bc2
humanhash: edward-uniform-sink-coffee
File name:2021-03-08-Spelevo-EK-payload-ZLoader-EXE.bin
Download: download sample
Signature ZLoader
Create hunting rule
File size:299'576 bytes
First seen:2021-03-08 22:37:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29e20d84baf5d7815f29034743495a8f (1 x ZLoader)
ssdeep 6144:BEW3z2kSM7oEKDmM0CJ/sq0u7FkEncPtPL:fj5ScoFmxSh0u7qEc1D
Threatray 14 similar samples on MalwareBazaar
TLSH B654AD67E39130E9E58842354AC4277AC67FD5343F5B3DC31A683AE78C828CE56BD189
Reporter JasonMilletary
Tags:signed ZLoader

Code Signing Certificate

Organisation:TrustPort
Issuer:VeriSign Class 3 Code Signing 2009-2 CA
Algorithm:sha1WithRSAEncryption
Valid from:2010-04-09T00:00:00Z
Valid to:2011-04-09T23:59:59Z
Serial number: 040f11f124a73bdecc41259845a8a773
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5a5cc633a63281c09bf2650aa765c306ae4a93f6abe4eb4eba4f779e9d5450f7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2021-03-08-Spelevo-EK-payload-ZLoader-EXE.bin
Verdict:
No threats detected
Analysis date:
2021-03-08 22:41:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dc24b7a3-36d2-43ff-8119-791403636907

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123050/
Detection(s):
SecuriteInfo.com.FileRepMalware.4213.5384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Delayed reading of the file
Delayed writing of the file
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/632124
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365029 Sample: 2021-03-08-Spelevo-EK-paylo... Startdate: 08/03/2021 Architecture: WINDOWS Score: 52 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 1 8->12         started        14 rundll32.exe 8->14         started        process5 16 iexplore.exe 2 83 10->16         started        process6 18 iexplore.exe 5 149 16->18         started        dnsIp7 21 geolocation.onetrust.com 104.20.184.68, 443, 49720, 49721 CLOUDFLARENETUS United States 18->21 23 192.168.2.1 unknown unknown 18->23 25 7 other IPs or domains 18->25
Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-08 22:38:08 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
0d1774171175d150cc859a71fc56cd6a8132c9c679d3bd5c7f065126ed2a071e
ZLoader
3f1f00054377124affd8fb24f61b9a670858cc44282ffcf0341907f9dbcf1d51
ZLoader
44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b
ZLoader
481af12b4e027b76b68c817c3cb806291f52042d3b5dce2e9f073408f596e206
ZLoader
8895213de00492d3755473bdc57627cdd9d90189b043f2a3dc7ae948d589eb1d
ZLoader
907a644328011c9d50c192e06ef14bf5e6be5f4c3f4dddacfba7ebb8d22d0738
ZLoader
959a3cd5e58c2bbbb4a5179e658f6193fd6cf8d5d5384b4e6dca12fa7cbc2c74
ZLoader
a7f441793b5703b349ebb2509b6af1cdfdd8023d8e56f1f9a57b9d74e69bd9a9
ZLoader
b70f6b2942fcd266a4fed8283cea70f57fc07e2894d348260372aa56d9e17d1b
ZLoader
cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6
ZLoader
+ 4 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:googleaktualizacija campaign:googleaktualizacija2 botnet trojan
Link:
https://tria.ge/reports/210308-rctfmtz5b6/
Behaviour
Suspicious use of WriteProcessMemory
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Unpacked files
SH256 hash:
f50ed9a48d0dc429d4cf472529936df8820a59a364c04444704fcb88a17fa8ba
MD5 hash:
c67f95334a7e1c718d2d91a4b9e10053
SHA1 hash:
d36f4bd5e95e739e1c22b578f472570db16f1141
Detections:
win_zloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/12630923-47d4-44d6-8541-75e5da01e56a/
SH256 hash:
9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b
MD5 hash:
a552a092b08cd01310b87ee994a21bc2
SHA1 hash:
8d9b3a09a70914a0a20f42a79474abba34737206
Link:
https://www.unpac.me/results/12630923-47d4-44d6-8541-75e5da01e56a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malware_traffic/status/1369052011728171009
Cape
Cape
https://www.capesandbox.com/analysis/123050/

Comments


Avatar
Rony commented on 2021-03-11 18:22:26 UTC

CAPE Payload extraction: https://www.capesandbox.com/analysis/123859/