MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6
SHA3-384 hash: d180ce0735e5944dd1ce536ad159baf43c2cff49d848d108e83fcf13d34b977a7cfce8f540405366cda7b7b615e3fd22
SHA1 hash: 36d0b1172673405a7d144a1a34841e794cea9e5a
MD5 hash: d657bd947fecdb34e989349b6f72daac
humanhash: arkansas-enemy-music-tango
File name:microsoft_shared.tmp
Download: download sample
Signature ZLoader
Create hunting rule
File size:588'632 bytes
First seen:2020-12-05 12:16:07 UTC
Last seen:2021-06-15 06:20:25 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e17c7e3fa7189a6c1d0d2d15de68dde9 (1 x ZLoader)
ssdeep 3072:ocAZRRjYUoyi1f3OkOpO2jRve3uwoY+ZsGMpRpxjsoJlERTv6UNonpwfHYToG7L:oNTGOvRvEuPtZsGMpRpxoo0cnpwgT7L
Threatray 59 similar samples on MalwareBazaar
TLSH B9C41EC9E76767B0E8D08E793146CC82AED57694F8AC21D8E70609BDCFF934201C576A
Reporter nao_sec
Tags:Malsmoke ZLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
357
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106868/
Detection(s):
SecuriteInfo.com.Variant.Graftor.863726.23643.365.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Delayed writing of the file
Delayed reading of the file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/556239
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Machine Learning detection for dropped file
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 327220 Sample: microsoft_shared.tmp Startdate: 05/12/2020 Architecture: WINDOWS Score: 52 29 Machine Learning detection for sample 2->29 31 Machine Learning detection for dropped file 2->31 6 loaddll32.exe 2 2->6         started        8 regsvr32.exe 2->8         started        10 regsvr32.exe 2->10         started        process3 process4 12 msiexec.exe 3 25 6->12         started        17 regsvr32.exe 8->17         started        19 regsvr32.exe 10->19         started        dnsIp5 23 yuidskadjna.com 12->23 25 wiewjdmkfjn.com 12->25 27 3 other IPs or domains 12->27 21 C:\Users\user\AppData\Roaming\...\sareiz.dll, PE32 12->21 dropped 33 Creates autostart registry keys with suspicious values (likely registry only malware) 12->33 file6 signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-05 12:17:05 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
12e5c221195f7d0a47b98b5d5fff26ea8fc4ad4f76f1c21f47e3a73102f18c59
ZLoader
2aad576a107cd5cb031c13a85f8403a3b0e377a608a1af77f6e5607295bd54eb
ZLoader
44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b
ZLoader
481af12b4e027b76b68c817c3cb806291f52042d3b5dce2e9f073408f596e206
ZLoader
8895213de00492d3755473bdc57627cdd9d90189b043f2a3dc7ae948d589eb1d
ZLoader
89e83ef4b109f38ef1f9d8dd2ab6005426e2f24c5cf106717af3eb2bdb69c78e
ZLoader
959a3cd5e58c2bbbb4a5179e658f6193fd6cf8d5d5384b4e6dca12fa7cbc2c74
ZLoader
a7f441793b5703b349ebb2509b6af1cdfdd8023d8e56f1f9a57b9d74e69bd9a9
ZLoader
dbc2e7788019f8b0959377fa9e0f3d41d0db82445799721d1d77c583ac793e9a
ZLoader
df3d51127ea0dcc9db343b3cfec81eecf48311f998dc4b237db5a6ff1fea9914
ZLoader
+ 49 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:personal campaign:personal botnet trojan
Link:
https://tria.ge/reports/201205-jvmz8qlm5s/
Behaviour
Suspicious use of WriteProcessMemory
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Unpacked files
SH256 hash:
f8c884a77e730bc8f28e2bf02191366c7149b04afd254c252dfd61855ef290f2
MD5 hash:
e506d676019a74b45336068301e61ec2
SHA1 hash:
ba7d0c1716ad86feecf6f8fa1b2d0c45e1d1cf03
Detections:
win_zloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/71660d99-675d-4d89-b808-a70c0f624dfe/
SH256 hash:
cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6
MD5 hash:
d657bd947fecdb34e989349b6f72daac
SHA1 hash:
36d0b1172673405a7d144a1a34841e794cea9e5a
Link:
https://www.unpac.me/results/71660d99-675d-4d89-b808-a70c0f624dfe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106868/

Comments