MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4e5ea6e804aee0817c61b11e1ed009f649ff37d30bafa7056bf82d45e83f44d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4e5ea6e804aee0817c61b11e1ed009f649ff37d30bafa7056bf82d45e83f44d
SHA3-384 hash: a1da476508f2d0496794b0aa7b319526b6eb090bc1d03316ea66456a30f02c70e08209ce81886fd5c35ef2ad92a4f114
SHA1 hash: 1fe09821917e0d6d07b233e7264bdc235dc2f52b
MD5 hash: 57054d13b876e70a99b6b9510568ed3e
humanhash: network-fix-lake-tennessee
File name:9095.exe
Download: download sample
Signature ZLoader
Create hunting rule
File size:155'648 bytes
First seen:2022-01-06 10:53:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f26f5bea701561745dea20a33c88cd5f (2 x ZLoader, 1 x Gozi)
ssdeep 3072:H29+hIl2epp1z5GWp1icKAArDZz4N9GhbkrNEk1Hz:WwAlp0yN90QEQ
Threatray 248 similar samples on MalwareBazaar
TLSH T172E3AE52A3E400B6E4BA57B499F706835A31BCA19F7883EF2395D55E0E336C0E932357
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JoulK
Tags:exe ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9095.exe
Verdict:
No threats detected
Analysis date:
2022-01-06 10:56:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e368ef52-4db6-4187-bc1e-9c8892bb3e97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217546/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.29362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61d6ca4f135d97804c0f353a/reports/6344088e-7c62-4724-bfb8-7cb01172e3d1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72cb9fb7-b436-413e-b43d-f0f0e86edf98
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/916253
Signature
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548732 Sample: 9095.exe Startdate: 06/01/2022 Architecture: WINDOWS Score: 80 24 Multi AV Scanner detection for domain / URL 2->24 26 Antivirus detection for URL or domain 2->26 28 Multi AV Scanner detection for dropped file 2->28 30 2 other signatures 2->30 7 9095.exe 1 3 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        process5 13 powershell.exe 14 18 11->13         started        18 conhost.exe 11->18         started        dnsIp6 22 teamworks455.com 134.0.117.16, 443, 49724 AS-REGRU Russian Federation 13->22 20 C:\Users\user\AppData\Roaming\9095.dll, MS-DOS 13->20 dropped 32 Powershell drops PE file 13->32 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4e5ea6e804aee0817c61b11e1ed009f649ff37d30bafa7056bf82d45e83f44d/
Threat name:
Win64.Trojan.ZLoader
Create hunting rule
Status:
Malicious
First seen:
2022-01-05 17:44:35 UTC
File Type:
PE+ (Exe)
Extracted files:
36
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
ZLoader
26f356831f0c6b818a25114e232966ed68586c583128850b8680abdb860862fd
ZLoader
3d030fbfbe328bc4f276d565854f89189094ddb46dc1c6d36e8e9a438227279f
ZLoader
46802842ff967e3810af08e372b0f969de57f2ed826498398c5367525fec0bc9
ZLoader
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
ZLoader
5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a
ZLoader
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
ZLoader
b69638517ea368465f93cdea93c7daa7941a1ee21409ce471159b88a64f05bf6
ZLoader
eb6b810f2cb85c0a1a028c53e4c346b3ec7601d1853758c3b8ce56eac6f96be8
ZLoader
+ 238 additional samples on MalwareBazaar
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb botnet:9095 banker persistence suricata trojan
Link:
https://tria.ge/reports/220106-mzj71abeem/
Behaviour
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Discovers systems in the same network
Enumerates processes with tasklist
Gathers system information
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Malware Config
C2 Extraction:
http://google.mail.com
http://392184281.com
http://592182812.com
https://392184281.com
https://592182812.com
http://google.login.com
https://194.67.90.217
https://134.0.118.44
https://134.0.119.89
http://194.67.90.217
http://134.0.118.44
http://134.0.119.89
iudsahbnmddsa.com
siadujhdnmasg.com
idsaujhdndkwq.com
Unpacked files
SH256 hash:
d4e5ea6e804aee0817c61b11e1ed009f649ff37d30bafa7056bf82d45e83f44d
MD5 hash:
57054d13b876e70a99b6b9510568ed3e
SHA1 hash:
1fe09821917e0d6d07b233e7264bdc235dc2f52b
Link:
https://www.unpac.me/results/37ec2c36-e5e4-4869-a160-88017b6d9c45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4e5ea6e804aee0817c61b11e1ed009f649ff37d30bafa7056bf82d45e83f44d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217546/

Comments