MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be3d1522f968ad7cc46a996a64b5e5be8044075f6bd1784046e46671bf416b45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be3d1522f968ad7cc46a996a64b5e5be8044075f6bd1784046e46671bf416b45
SHA3-384 hash: a51b64f14fbe5e1b21b2b0895d3c5a2bfe41c012071f465551d856e6ebf1062dc286531a6e0d054e9d7c0e63e4b0c49a
SHA1 hash: d1da2bb6a020462d5d7ac6301395e10d2acb6b17
MD5 hash: f500b424c560f00ccd993a46e4b9fcfa
humanhash: white-sweet-california-ink
File name:SecuriteInfo.com.Win32.Kryptik.HCXX.2664
Download: download sample
Signature ZLoader
Create hunting rule
File size:483'840 bytes
First seen:2020-04-25 01:55:09 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b3010a68d5712ce0df006249937b2c0a (4 x ZLoader)
ssdeep 12288:zayK7dYtaR2FV9DAuuasxaunyIVTyMAzj:zxPta+jmnlVTIzj
Threatray 55 similar samples on MalwareBazaar
TLSH 7BA4BF113AA8C1FEE4A95536AD69D9FC8558BC71CF70A8933BD0BF0F76303D09624626
Reporter SecuriteInfoCom
Tags:ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2537/
Detection(s):
SecuriteInfo.com.Win32.Kryptik.HCXX.2664.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-24 23:09:58 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xy6rkixzncwxzrdktfvgjnpfx2aeib27npixqqcg4rthdp2bnncq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
29bf6be1fa9e4b72bb9e2eeb8156ea1c03311d157d1bb28a0cea1328c6fd473d
ZLoader
2a214959e1a85a4d11444053d4262961ee29e2cc53c3f4ae8f1a59152e5d67f3
ZLoader
33ffacc3e517f4f1dad47f1ca28d26188e202d5e2e300e1e71bc0a57e682292a
ZLoader
75b24a04b7ddddd036a8e677061e2cd86bc74f147f4b59de463964476db5f003
ZLoader
81a9eb444ffc7c5a700d4da6198c2f929d0e312d38667b9d3e29740eccabca3f
ZLoader
8d5a770975e52ce1048534372207336f6cc657b43887daa49994e63e8d7f6ce1
ZLoader
92f61cc6548277705585cc0c28d553093323d802a1d0d2e9fe618ebeaa6752fa
ZLoader
d538dfafbdf6ac115c24dbdd68c65dbef6460808dd2c4f3fc01d5e15bfc2f902
ZLoader
edb9d542cbc5ab07fd52792e20294f82b51de49c3d32938cbd9b55b2374d2b55
ZLoader
fb55aa4029e826e42520861cc82a8db4a3568f1d2b5fe6f39d7bf870ec0005f9
ZLoader
+ 45 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

DLL dll be3d1522f968ad7cc46a996a64b5e5be8044075f6bd1784046e46671bf416b45

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/350658/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/2537/
Cape
Cape
https://www.capesandbox.com/analysis/2535/
Cape
Cape
https://www.capesandbox.com/analysis/2532/
Cape
Cape
https://www.capesandbox.com/analysis/2531/
Cape
Cape
https://www.capesandbox.com/analysis/2528/
Cape
Cape
https://www.capesandbox.com/analysis/2526/
Cape
Cape
https://www.capesandbox.com/analysis/2521/
Cape
Cape
https://www.capesandbox.com/analysis/2520/
Cape
Cape
https://www.capesandbox.com/analysis/2519/
Cape
Cape
https://www.capesandbox.com/analysis/2518/
Cape
Cape
https://www.capesandbox.com/analysis/2517/
Cape
Cape
https://www.capesandbox.com/analysis/2515/
Cape
Cape
https://www.capesandbox.com/analysis/2514/
Cape
Cape
https://www.capesandbox.com/analysis/2200/
Cape
Cape
https://www.capesandbox.com/analysis/2199/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::InitializeSecurityDescriptor
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
ADVAPI32.dll::SetSecurityDescriptorOwner
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceA
ADVAPI32.dll::QueryServiceStatus
ADVAPI32.dll::RegisterServiceCtrlHandlerA
ADVAPI32.dll::StartServiceCtrlDispatcherA

Comments