MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b70f6b2942fcd266a4fed8283cea70f57fc07e2894d348260372aa56d9e17d1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b70f6b2942fcd266a4fed8283cea70f57fc07e2894d348260372aa56d9e17d1b
SHA3-384 hash: 04648e0918f21d8ddcba7e7ceb93595f9b2e167a30562e00fbda940036c744c54d51cc08555e42e78d5ba3fbd72bd9ed
SHA1 hash: 262b0c8053de8194137e041a2d9802f3f266ad3c
MD5 hash: f40fa873364ee354a88fec7ae1b4a804
humanhash: virginia-wolfram-saturn-stairway
File name:microsoft_shared.tmp
Download: download sample
Signature ZLoader
Create hunting rule
File size:364'600 bytes
First seen:2021-03-07 14:38:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ea03d830762702d2f636cc18eb913af (1 x ZLoader)
ssdeep 6144:38A7E/PzpKXRM5gsmIFTCndcpoPtKy6801lqKf0S:38sgpfmIVia2Kvlnfv
Threatray 13 similar samples on MalwareBazaar
TLSH A27484436263CE71D15672B3C88B3D553EDEE6B6C7FF43E684CA866D642309A52C8309
Reporter nao_sec
Tags:Malsmoke ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
microsoft_shared.tmp
Verdict:
Malicious activity
Analysis date:
2021-03-07 14:39:50 UTC
Tags:
loader
Link:
https://app.any.run/tasks/df163379-1b27-474f-8529-6a3ac567eff5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122692/
Detection(s):
SecuriteInfo.com.ArtemisF40FA873364E.25717.27709.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file in the %temp% directory
Delayed reading of the file
Delayed writing of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/630622
Signature
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 364280 Sample: microsoft_shared.tmp Startdate: 07/03/2021 Architecture: WINDOWS Score: 52 27 Multi AV Scanner detection for submitted file 2->27 29 PE file has a writeable .text section 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 8->12         started        14 rundll32.exe 1 8->14         started        process5 16 iexplore.exe 1 75 10->16         started        process6 18 iexplore.exe 153 16->18         started        dnsIp7 21 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49751, 49752 YAHOO-DEBDE United Kingdom 18->21 23 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49745, 49746 FASTLYUS United States 18->23 25 10 other IPs or domains 18->25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b70f6b2942fcd266a4fed8283cea70f57fc07e2894d348260372aa56d9e17d1b/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2021-03-03 03:36:48 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
2aad576a107cd5cb031c13a85f8403a3b0e377a608a1af77f6e5607295bd54eb
ZLoader
35375028a2cc4876b5a8476876ad75a037b8c4e303589ce6e9d9c61aaba9f74c
ZLoader
3f1f00054377124affd8fb24f61b9a670858cc44282ffcf0341907f9dbcf1d51
ZLoader
44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b
ZLoader
481af12b4e027b76b68c817c3cb806291f52042d3b5dce2e9f073408f596e206
ZLoader
8895213de00492d3755473bdc57627cdd9d90189b043f2a3dc7ae948d589eb1d
ZLoader
89e83ef4b109f38ef1f9d8dd2ab6005426e2f24c5cf106717af3eb2bdb69c78e
ZLoader
959a3cd5e58c2bbbb4a5179e658f6193fd6cf8d5d5384b4e6dca12fa7cbc2c74
ZLoader
a7f441793b5703b349ebb2509b6af1cdfdd8023d8e56f1f9a57b9d74e69bd9a9
ZLoader
cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6
ZLoader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:googleaktualizacija campaign:googleaktualizacija2 botnet trojan
Link:
https://tria.ge/reports/210307-xm6ye13gk2/
Behaviour
Suspicious use of WriteProcessMemory
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Unpacked files
SH256 hash:
872b04f3ae5dca4938c531d11387fa98e63f08db3965846f7d35169800950b04
MD5 hash:
4299739272e783c720c162a1f3f79795
SHA1 hash:
6cbf109bc923bb761d9adef6af3304f352a61c02
Detections:
win_zloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc11950f-a6f9-49df-96dd-8bae942c3e71/
SH256 hash:
b70f6b2942fcd266a4fed8283cea70f57fc07e2894d348260372aa56d9e17d1b
MD5 hash:
f40fa873364ee354a88fec7ae1b4a804
SHA1 hash:
262b0c8053de8194137e041a2d9802f3f266ad3c
Link:
https://www.unpac.me/results/bc11950f-a6f9-49df-96dd-8bae942c3e71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b70f6b2942fcd266a4fed8283cea70f57fc07e2894d348260372aa56d9e17d1b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/122692/

Comments


Avatar
Rony commented on 2021-03-11 18:23:22 UTC

CAPE Payload extraction: https://www.capesandbox.com/analysis/123860/