MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5a07a557082018c4b3526b12e681182d7e489ce22e90c2b4f68feae5f93d4d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5a07a557082018c4b3526b12e681182d7e489ce22e90c2b4f68feae5f93d4d0
SHA3-384 hash: 6861f1daab7e9efd38a202c5ff5c0f9ae8b242ebf6ffbcfa543d32e71807724c36a75a4f21d3ed88d043a68f74fb254f
SHA1 hash: ef34b6817e4142000cf512ed063fbc2beadf5be8
MD5 hash: 48f3bf2aad96b4893e873cf82d170f54
humanhash: double-eighteen-neptune-salami
File name:k.php
Download: download sample
Signature ZLoader
Create hunting rule
File size:567'808 bytes
First seen:2021-01-25 17:10:39 UTC
Last seen:2021-01-25 19:26:59 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1f432667b3a5ad14b02771d5dafb2e70 (1 x ZLoader)
ssdeep 12288:2tzr0DpUmvlvY+Ac+zK4PRfuJIomSorou+9OoMkCK0kBjV:2NryzFn+z1I7omMkzDBR
Threatray 5 similar samples on MalwareBazaar
TLSH EDC46C01B6A09034F5BA22F459BEA5A8587DBCE11B65E4CB63C41AEF4534AF0FC31727
Reporter JasonMilletary
Tags:dll ZLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113760/
Detection(s):
SecuriteInfo.com.Generic.mg.48f3bf2aad96b489.17462.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Sending a UDP request
Moving a recently created file
Creating a file in the %AppData% subdirectories
Creating a window
DNS request
Sending a custom TCP request
Changing a file
Creating a file in the system32 subdirectories
Possible injection to a system process
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/589721
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5a07a557082018c4b3526b12e681182d7e489ce22e90c2b4f68feae5f93d4d0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywqhuvlqqiayyszve2ys42arqll6jcooeluqyk2pnd7k4x4t2tia._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
gozi
Create hunting rule
Similar samples:
35466f0c22f220890b932e59f9a21032712e8260343d13ad4c0d9560db3b638f
ZLoader
4b0c5b4530a9218d6030a7040a10ea5be84ffa3696601732ee7212691521474f
ZLoader
5c0f9c9babc640a2578b1d3e8cacb60df32a0437ef3f9383d00ed88a7cef3a62
ZLoader
78c4bc3ae3153ba126c58e5cf86f254468c8ff422971ea3923502bfa3de8ad0b
ZLoader
d56060acb8115119810ae3aca151e94cbe5e2459dd405c8f010ced5a25c8548a
ZLoader
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:kev campaign:25/01 botnet trojan
Link:
https://tria.ge/reports/210125-kgb3swyhq2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://sadnan.com/post.php
https://www.isds.com.my/post.php
https://nawirifarm.co.ke/post.php
https://dev01.perdiscoo.com/post.php
https://ingenieriaoasisdebc.com/post.php
https://brinitezcresan.gq/post.php
Unpacked files
SH256 hash:
ea450c3c3f692369652eba206e3cb2b6486ea61e86e0286e53ee778d4e3130cb
MD5 hash:
cf2a51ac455900ee18e6c658ae016ef3
SHA1 hash:
f098c89d82e65cb672417c4be593f7255b4689a8
Detections:
win_zloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/e5906269-53da-4a7c-a084-f23d405bba26/
SH256 hash:
c5a07a557082018c4b3526b12e681182d7e489ce22e90c2b4f68feae5f93d4d0
MD5 hash:
48f3bf2aad96b4893e873cf82d170f54
SHA1 hash:
ef34b6817e4142000cf512ed063fbc2beadf5be8
Link:
https://www.unpac.me/results/e5906269-53da-4a7c-a084-f23d405bba26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5a07a557082018c4b3526b12e681182d7e489ce22e90c2b4f68feae5f93d4d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_zloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113760/

Comments