MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ZLoader

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c
SHA3-384 hash:	835b00df59be4646448e19a7ee4003337410586d2c35605767d87074c8ce358a8dd380abdb3f307d8bf5d5004d2af328
SHA1 hash:	1bc94b97c99c08ffc1f2849a2dfce60569ddbc71
MD5 hash:	116347dee5de17177b0e19cb2656d94d
humanhash:	yellow-fourteen-queen-utah
File name:	116347dee5de17177b0e19cb2656d94d
Download:	download sample
Signature	ZLoader Create hunting rule
File size:	376'833 bytes
First seen:	2021-02-25 14:46:17 UTC
Last seen:	2021-02-25 16:47:13 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	3bbba5126b337863d1df27ba463579e3 (2 x ZLoader)
ssdeep	6144:Oq0DP+KszP/GNG+GfBJx/3SDDrpXzA2IjGXnr7QIWxurFHQhroo+0t:OqMPQzGNeXSDh8S3r7QIrr61Vt
Threatray	4 similar samples on MalwareBazaar
TLSH	8384D012351BD8B3CBEC01786DD1EA99472CBFD46B9DA2A731C835AF38C7B454269231
Reporter	0x746f6d6669
Tags:	ZLoader

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Zloader

Link:

https://www.capesandbox.com/analysis/119262/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.158.1782.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/618851

Signature

Contains functionality to inject code into remote processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Behaviour

Behavior Graph:

Download SVG

Detection:

zloader

Link:

https://mwdb.cert.pl/sample/bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c/

Threat name:

Win32.Trojan.ZLoader

Status:

Malicious

First seen:

2021-02-25 14:47:10 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Verdict:

malicious

Label(s):

zloader

ZLoader

34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1

ZLoader

5c5c8af2a703aa1842f4ce9f9e83aeeac0e2cc2d3ed1bf9f9ad72b7f77e89a42

ZLoader

8e50da51386c2f267afaf1a419e4467d62c01c9704f0e17c4aa188d0c090c8b2

ZLoader

Result

Malware family:

zloader

Score:

10/10

Tags:

family:zloader botnet:nut campaign:22/02 botnet trojan

Link:

https://tria.ge/reports/210225-e8bqwdpfgn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blocklisted process makes network request

Zloader, Terdot, DELoader, ZeusSphinx

Malware Config

C2 Extraction:

https://sanfilippowholesale.ca/post.php
https://veprotech.com/post.php
https://globalgroots.com/post.php
https://silicontradewind.com/post.php
https://dhyanalingagranites.in/post.php
https://onushondhanbarta.com/post.php
https://avcity.in/post.php
https://docapiridelli.ml/post.php

Unpacked files

SH256 hash:

0f681922b008c08435c4486bc9f14593e0c57885d8740017a438a52505d19469

MD5 hash:

2416be7dcb1f52a921f743db4521621d

SHA1 hash:

62fc55b143f0e4f7f2f9c4c15adacf372b55d196

Link:

https://www.unpac.me/results/92449b28-23ad-4b04-967d-6b9be3308fb9/

SH256 hash:

bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c

MD5 hash:

116347dee5de17177b0e19cb2656d94d

SHA1 hash:

1bc94b97c99c08ffc1f2849a2dfce60569ddbc71

Link:

https://www.unpac.me/results/92449b28-23ad-4b04-967d-6b9be3308fb9/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_zloader_a0 Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects Zloader Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/119262/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample