MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2ef6a86983e15d0f70e5941b79d03419d4c7bcd4b1c58223f6b8334ed800deb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ZhongStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash: b2ef6a86983e15d0f70e5941b79d03419d4c7bcd4b1c58223f6b8334ed800deb
SHA3-384 hash: 73118c7d9b02f576e289ce981cbd0905fa25da9a8016658f31c966bb1343a7e142e8b1ed890e759ee14c5e89a1803ed4
SHA1 hash: 30fa0d96860adc4443d9e3d4a9e800046ad35d63
MD5 hash: baaf52a5ba4b0639cce2ee4918b6da16
humanhash: spring-michigan-florida-item
File name:BusinessDataProcessor.exe
Download: download sample
Signature ZhongStealer
File size:42'032 bytes
First seen:2025-11-29 15:35:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'081 x AgentTesla, 20'056 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 768:BkcjrTL3kj6DMaoQVd0CvkGg1Asl/scCldedtpL38tNbJ82ADaEVXiNi:BkcvTLjoU/rs4devpL38tlJ8teEgNi
TLSH T15F136D096A7C8F27CE5E6A7E94A232071BB6C317E157F70F5C9885A915C73C0D7102EA
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SquiblydooBlog
Tags:exe ZhongStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
116
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
EAZfuscator
Details
EAZfuscator
decrypted strings
Malware family:
n/a
ID:
1
File name:
BusinessDataProcessor.exe
Verdict:
Malicious activity
Analysis date:
2025-11-29 15:37:41 UTC
Tags:
anti-evasion stealer zhong auto-reg delphi

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Tags:
emotet micro blic remo
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Searching for synchronization primitives
Creating a window
Launching a service
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 eazfuscator obfuscated obfuscated packed reconnaissance signed
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-29T08:06:00Z UTC
Last seen:
2025-12-01T08:09:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.MSIL.Typhon.o
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.40 Win 32 Exe x86
Threat name:
Win32.Dropper.Generic
Status:
Suspicious
First seen:
2025-11-29 12:51:24 UTC
AV detection:
2 of 38 (5.26%)
Threat level:
  3/5
Result
Malware family:
zhongstealer
Score:
  10/10
Tags:
family:zhongstealer discovery persistence stealer
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detects ZhongStealer
ZhongStealer
Zhongstealer family
Unpacked files
SH256 hash:
b2ef6a86983e15d0f70e5941b79d03419d4c7bcd4b1c58223f6b8334ed800deb
MD5 hash:
baaf52a5ba4b0639cce2ee4918b6da16
SHA1 hash:
30fa0d96860adc4443d9e3d4a9e800046ad35d63
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments