MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c
SHA3-384 hash: 3f4cdbfb38fd691eeeda46f79d9167908155f4fd7074e5d8ca43ffdb9bd656f75b5e90b054e402ac67fb5461afe5ddea
SHA1 hash: 754cc1546ceafe9f62db188e214d5696aed609d5
MD5 hash: c6b02277b3dd7e0fd1133cf9290cdef6
humanhash: lake-hamper-network-juliet
File name:c6b02277b3dd7e0fd1133cf9290cdef6.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:523'776 bytes
First seen:2021-03-13 08:51:17 UTC
Last seen:2021-03-13 10:31:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 526c03097d702c517788ebf793daedfb (1 x ZLoader)
ssdeep 12288:HgxWUQ81t0b8dgw7CfBCc8KMbT77GhjoQEb/ruu3hN5Lq:ALFQ8mw7CFX+KoQQz/5L
Threatray 4 similar samples on MalwareBazaar
TLSH 29B44901B691C024F4B611B9DDAAE1FC962C7D91DF1484CB72C43FEFAA35AD1A83161B
Reporter abuse_ch
Tags:dll ZLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124098/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.8694.14212.20182.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ZLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/638560
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected ZLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 368257 Sample: SN97VW6vQh.dll Startdate: 13/03/2021 Architecture: WINDOWS Score: 92 31 https unknown unknown 2->31 45 Found malware configuration 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 3 other signatures 2->51 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 9->11         started        14 rundll32.exe 9->14         started        16 cmd.exe 1 9->16         started        signatures6 53 Writes to foreign memory regions 11->53 55 Allocates memory in foreign processes 11->55 18 msiexec.exe 2 30 11->18         started        57 Contains functionality to inject code into remote processes 14->57 22 msiexec.exe 2 14->22         started        24 iexplore.exe 2 85 16->24         started        process7 dnsIp8 33 kenthehafana.tk 104.21.13.142, 443, 49762 CLOUDFLARENETUS United States 18->33 35 dazzlingnight.com 104.21.3.230, 443, 49759 CLOUDFLARENETUS United States 18->35 37 2 other IPs or domains 18->37 29 C:\Users\user\AppData\Roamingpc\qiatu.dll, PE32 18->29 dropped 26 iexplore.exe 5 155 24->26         started        file9 process10 dnsIp11 39 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49735, 49736 YAHOO-DEBDE United Kingdom 26->39 41 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49738, 49739 FASTLYUS United States 26->41 43 10 other IPs or domains 26->43
Detection:
zloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c/
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2021-03-13 02:47:34 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ihv437txcxx2kw3hfos7rl3lq2tip6hwf4gltf3yzvwm4i2hnga._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
22a0ceb74f566484220466e975d4fa835f4edf6279f9426f36498d8aa3337017
ZLoader
67773bd7bf1720493b3dd438a8d2959412dd9a4381a646d3e7278e73e18e102d
ZLoader
8e50da51386c2f267afaf1a419e4467d62c01c9704f0e17c4aa188d0c090c8b2
ZLoader
bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c
ZLoader
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:kev campaign:12/03 botnet trojan
Link:
https://tria.ge/reports/210313-f58ssaze1n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://dazzlingnight.com/post.php
https://rylaconfxilo.tk/post.php
https://seaofsilver.com/post.php
https://kenthehafana.tk/post.php
Unpacked files
SH256 hash:
871d68c290bc9bb81ad134f5eab2a35038f24d0b8835f3b96b0a7e27851745bd
MD5 hash:
3848b8d8d957751d29ce2fa5f0b834b3
SHA1 hash:
9275719f7f98aeaae46203134701dac8c3a573f6
Link:
https://www.unpac.me/results/8a881142-b9ed-48ff-b2d3-eec7590d17eb/
SH256 hash:
d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c
MD5 hash:
c6b02277b3dd7e0fd1133cf9290cdef6
SHA1 hash:
754cc1546ceafe9f62db188e214d5696aed609d5
Link:
https://www.unpac.me/results/8a881142-b9ed-48ff-b2d3-eec7590d17eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_zloader_a0
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects Zloader Payload
Rule name:Zloader
Create hunting rule
Author:kevoreilly
Description:Zloader Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

DLL dll d20f5e6ff3b8af7d2adb395d2fc57b5c35343fc7b17865ccbbc66b66711a3b4c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1063537/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124098/

Comments