MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4601ce15ad7bca4617ad033f129a5d507f8e55b979c97a78cf31a6f501cb046. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ZLoader

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	e4601ce15ad7bca4617ad033f129a5d507f8e55b979c97a78cf31a6f501cb046
SHA3-384 hash:	7f520f3d4313c1ff123156fa9dfdf2546f76df2ad46f65bab863b19bab04aee5a6171d744a34c6483341314b4fac0e91
SHA1 hash:	272dd9e87d63083f6b380286e3e74bb0acbfe582
MD5 hash:	9eb0a367c3c42454dc64174adaa3370a
humanhash:	vermont-friend-lion-pizza
File name:	SecuriteInfo.com.Generic.mg.9eb0a367c3c42454.18863
Download:	download sample
Signature	ZLoader Create hunting rule
File size:	372'736 bytes
First seen:	2020-04-09 17:53:44 UTC
Last seen:	2020-07-19 19:39:52 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	2577f2cf193fc75add086dfe65bc3c0d (3 x ZLoader)
ssdeep	6144:gzAILNLdvVA988yVzjtSYnYwNcE2mzWHRYLk1KZELZkwhg2x9xbYn4g2zlw:gLZ6lyVJnZNjzW9wZELOqc4g
Threatray	45 similar samples on MalwareBazaar
TLSH	848402283FA78073D802D97992E603E56E7D58C32AB94457AFD4EEDC7274CD912293B0
Reporter	SecuriteInfoCom
Tags:	ZLoader

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Generic.mg.9eb0a367c3c42454.18863.UNOFFICIAL

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Zload

Status:

Malicious

First seen:

2020-04-09 16:04:36 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4rqbzyk2266kiyl22az7cknf2ud7rzk3s6ojpj4m6mng6ua4wbda._file

Verdict:

malicious

Label(s):

zloader

gozi

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

DLL dll e4601ce15ad7bca4617ad033f129a5d507f8e55b979c97a78cf31a6f501cb046

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/337196/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid ADVAPI32.dll::InitializeSecurityDescriptor
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::SetSecurityDescriptorDacl ADVAPI32.dll::SetSecurityDescriptorGroup ADVAPI32.dll::SetSecurityDescriptorOwner
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::OpenSCManagerA ADVAPI32.dll::OpenServiceA ADVAPI32.dll::QueryServiceStatus ADVAPI32.dll::RegisterServiceCtrlHandlerA ADVAPI32.dll::StartServiceCtrlDispatcherA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample