MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d56060acb8115119810ae3aca151e94cbe5e2459dd405c8f010ced5a25c8548a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d56060acb8115119810ae3aca151e94cbe5e2459dd405c8f010ced5a25c8548a
SHA3-384 hash: a79faa9b27d6b8a56cffece5e3b9dd648e86c53f0fea35754158704525f2fa69e988860d5f7fe19f23fbdc84e25a7ca5
SHA1 hash: ac4ab65b40593943530368a2b953e5a493e5c31b
MD5 hash: d32908e4d32c94a8781f21ce2626dc13
humanhash: neptune-monkey-stairway-michigan
File name:niotb.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:649'216 bytes
First seen:2021-01-20 17:11:04 UTC
Last seen:2021-01-21 17:34:04 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 40970ee1e995b7171284d137b643ae22 (1 x ZLoader)
ssdeep 12288:5r6f8CHEiHWYw3cVDL6doUkxrzIOJYjL8VyUE:5GfXKYw3chWaBJCLzN
Threatray 3 similar samples on MalwareBazaar
TLSH E1D4CF11EA90E03CF6BE0275497BD96946397D10477CE8CB32DAAD8F19646E1F836382
Reporter ffforward
Tags:dll ZLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113175/
Detection(s):
SecuriteInfo.com.Generic.mg.d32908e4d32c94a8.24317.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/586472
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Multi AV Scanner detection for submitted file
Sigma detected: Control Panel Items
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d56060acb8115119810ae3aca151e94cbe5e2459dd405c8f010ced5a25c8548a/
Threat name:
Win32.Trojan.ZLoader
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 17:12:05 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vqgblfycfirtaik4owkcupjjs7f4jcz3vafzdybbtwvujoiksfa._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
35466f0c22f220890b932e59f9a21032712e8260343d13ad4c0d9560db3b638f
ZLoader
4b0c5b4530a9218d6030a7040a10ea5be84ffa3696601732ee7212691521474f
ZLoader
78c4bc3ae3153ba126c58e5cf86f254468c8ff422971ea3923502bfa3de8ad0b
ZLoader
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:kiv campaign:20/01 botnet trojan
Link:
https://tria.ge/reports/210120-ajghac8dxs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://actes-etatcivil.com/post.php
https://ankarakreatif.com/post.php
https://www.ramazanyildiz.net/post.php
https://hispaniaeng.com/post.php
https://www.ifdd.francophonie.org/post.php
https://tiodeitidampheater.tk/post.php
Unpacked files
SH256 hash:
b3794fb79e7a306cb203876f9de01e99b6f76f061a87a10d9505224488be8a50
MD5 hash:
255340e4991ddcb0eaa5f5325290bb77
SHA1 hash:
0c4aed5965d4804302f1ec73d392ebd4baf2671c
Detections:
win_zloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/59cdd31c-aefc-4248-a7e2-2f8c1244d281/
SH256 hash:
d56060acb8115119810ae3aca151e94cbe5e2459dd405c8f010ced5a25c8548a
MD5 hash:
d32908e4d32c94a8781f21ce2626dc13
SHA1 hash:
ac4ab65b40593943530368a2b953e5a493e5c31b
Link:
https://www.unpac.me/results/59cdd31c-aefc-4248-a7e2-2f8c1244d281/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d56060acb8115119810ae3aca151e94cbe5e2459dd405c8f010ced5a25c8548a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_zloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ZLoader

Word file docm 91aa050536d834947709776af40c2fde49471d28231de50df0d324cd55101df4

ZLoader

Excel file xlsx 52d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89

ZLoader

DLL dll d56060acb8115119810ae3aca151e94cbe5e2459dd405c8f010ced5a25c8548a

(this sample)

  
Link
https://tria.ge/210120-d9qhz713sa
  
URLhaus
https://urlhaus.abuse.ch/url/972498/
  
Dropped by
SHA256 52d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113175/
  
URLhaus
https://urlhaus.abuse.ch/url/972497/

Comments