MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2
SHA3-384 hash: bccbc6f31f8f6f0ad704d56e5a730b17341ffeea2ef124129b371e5a7052f4f719db12561a6b1ad14bbade83ed1cfe5d
SHA1 hash: ee3ebcb8b28702c50b0083db163ba5876f40f54c
MD5 hash: 7a4334c164c28530b28858559643c6b9
humanhash: moon-bulldog-robert-asparagus
File name:1243656.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:288'368 bytes
First seen:2021-03-10 10:30:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 564be3cb470d33e67631863af7756724 (1 x ZLoader)
ssdeep 6144:EvrI3VKTfer1yrtFFK7GrwZqzYh7nmxc4HtzbJv3rI:rFqF0EJv3rI
Threatray 15 similar samples on MalwareBazaar
TLSH 67548DCA7AE2A526D030A4700B52E3E217DDD9791FE7BE12E3A5475774E30822F91B07
Reporter nao_sec
Tags:signed SpelevoEK ZLoader

Code Signing Certificate

Organisation:Kaspersky Lab
Issuer:VeriSign Class 3 Code Signing 2009-2 CA
Algorithm:sha1WithRSAEncryption
Valid from:2010-03-08T00:00:00Z
Valid to:2011-03-08T23:59:59Z
Serial number: 07be8f83f4455021f4e24fb021fca24a
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: bac4c0d47deb8fc2cfea50cd56e2091b5d4c597a032ed5791b42061b8181df18
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1243656.exe
Verdict:
No threats detected
Analysis date:
2021-03-10 10:23:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2fc5ad55-406b-4261-9876-f98a131619c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123586/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.31467.24789.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Delayed reading of the file
Delayed writing of the file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/634216
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 366080 Sample: 1243656.dll Startdate: 10/03/2021 Architecture: WINDOWS Score: 56 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 31 PE file has a writeable .text section 2->31 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8 1 8->12         started        14 regsvr32.exe 8->14         started        process5 16 iexplore.exe 2 83 10->16         started        process6 18 iexplore.exe 5 159 16->18         started        dnsIp7 21 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49733, 49734 FASTLYUS United States 18->21 23 geolocation.onetrust.com 104.20.185.68, 443, 49723, 49724 CLOUDFLARENETUS United States 18->23 25 7 other IPs or domains 18->25
Gathering data
Threat name:
Win32.Downloader.ZLoader
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 04:23:09 UTC
File Type:
PE (Dll)
Extracted files:
5
AV detection:
20 of 28 (71.43%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjildtfydfgodtginnfirplsph3iat5mtedvr2k5ea752hmx3tba._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
0d1774171175d150cc859a71fc56cd6a8132c9c679d3bd5c7f065126ed2a071e
ZLoader
3f1f00054377124affd8fb24f61b9a670858cc44282ffcf0341907f9dbcf1d51
ZLoader
44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b
ZLoader
481af12b4e027b76b68c817c3cb806291f52042d3b5dce2e9f073408f596e206
ZLoader
8895213de00492d3755473bdc57627cdd9d90189b043f2a3dc7ae948d589eb1d
ZLoader
959a3cd5e58c2bbbb4a5179e658f6193fd6cf8d5d5384b4e6dca12fa7cbc2c74
ZLoader
9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b
ZLoader
a7f441793b5703b349ebb2509b6af1cdfdd8023d8e56f1f9a57b9d74e69bd9a9
ZLoader
b70f6b2942fcd266a4fed8283cea70f57fc07e2894d348260372aa56d9e17d1b
ZLoader
cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6
ZLoader
+ 5 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:googleaktualizacija campaign:googleaktualizacija2 botnet trojan
Link:
https://tria.ge/reports/210310-4tx9m5yfze/
Behaviour
Suspicious use of WriteProcessMemory
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Unpacked files
SH256 hash:
a2c9b387d6dd2c5998dac262b7a739f203a6eb37a890ab52c5f2046b23b02992
MD5 hash:
fe513cdd0f3792d70219c47e312b33b3
SHA1 hash:
6b7503e21b2ff405daffcee2a336e59da56ec1f8
Detections:
win_zloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/7f907b46-1195-4dbf-9729-90739a90abce/
SH256 hash:
b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2
MD5 hash:
7a4334c164c28530b28858559643c6b9
SHA1 hash:
ee3ebcb8b28702c50b0083db163ba5876f40f54c
Link:
https://www.unpac.me/results/7f907b46-1195-4dbf-9729-90739a90abce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_GoziCrypter_Dec20_1
Create hunting rule
Author:James Quinn
Description:Detects crypter associated with several Gozi samples
Reference:YaraExchange

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/nao_sec/status/1369595812016128004
anyrun
any.run
https://app.any.run/tasks/0d237acf-0d2e-4086-96d8-091433de163a
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/123586/

Comments


Avatar
Rony commented on 2021-03-11 17:45:14 UTC

CAPE Payload extraction: https://www.capesandbox.com/analysis/123851