MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb12afe158fd7f4236a98c7c6b686dfe9838c3d986c28b593a54303c68534661. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb12afe158fd7f4236a98c7c6b686dfe9838c3d986c28b593a54303c68534661
SHA3-384 hash: e2bb73dd36f331fc23faa76faded5f59eb092b3553b1b0bec89b01f68d18f90e5d45c69b65c51ff217cd997f3b251009
SHA1 hash: c9fb3583b403cc8ed0186971ee300629fd91525f
MD5 hash: 7a75045c4c927433aa7258833355c403
humanhash: dakota-zulu-connecticut-low
File name:microsoft_shared.tmp
Download: download sample
Signature ZLoader
Create hunting rule
File size:702'976 bytes
First seen:2021-03-13 09:21:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3270301df12191e4dfc4c9d0eb2d1947 (1 x ZLoader)
ssdeep 12288:0NDB93QD1JISFzb+0KBSWxmUNlho76bfRi/oe:0NV9AJ6SjQFrZmo
Threatray 4 similar samples on MalwareBazaar
TLSH F9E46D52EA58C045D5894C72C4A7CEF1221BBC11C99C1E97F5FC3F1EFA713A1A932A89
Reporter nao_sec
Tags:Malsmoke ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://pornohdmovie.com/be/
Verdict:
Malicious activity
Analysis date:
2021-03-13 08:56:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d28d5b4e-7812-41ed-ad0e-5022df925604

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124121/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.29706.31423.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Delayed reading of the file
Delayed writing of the file
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/638612
Signature
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 368283 Sample: microsoft_shared.tmp Startdate: 13/03/2021 Architecture: WINDOWS Score: 28 30 Machine Learning detection for sample 2->30 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 8->12         started        14 rundll32.exe 1 8->14         started        process5 16 iexplore.exe 2 83 10->16         started        dnsIp6 22 192.168.2.1 unknown unknown 16->22 19 iexplore.exe 5 153 16->19         started        process7 dnsIp8 24 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49738, 49739 FASTLYUS United States 19->24 26 geolocation.onetrust.com 104.20.184.68, 443, 49724, 49725 CLOUDFLARENETUS United States 19->26 28 8 other IPs or domains 19->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb12afe158fd7f4236a98c7c6b686dfe9838c3d986c28b593a54303c68534661/
Verdict:
unknown
Similar samples:
5833c87bcb55898337f74a84402e525cab70a611276e3e2faa9e880ff4059ba3
ZLoader
9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b
ZLoader
ca3408df31dc066d6ec4feea0388ca8d0cf5d35393bd5a6f1979b9af590f7615
ZLoader
ebb7be9831bb93c4dbb72057ce647791ee53f37a680443793d67cc6a0d9bbf5e
ZLoader
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:personal campaign:personal botnet trojan
Link:
https://tria.ge/reports/210313-4yqm68xqjn/
Behaviour
Suspicious use of WriteProcessMemory
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Unpacked files
SH256 hash:
dfdfabab616941dfe08120209beb8919b596916ee3b924ddf2c9aa5da28e2619
MD5 hash:
528510d78d1f04b75de4e39abcb1a45f
SHA1 hash:
a31142eb453fa6c43b7a6155b04099fd2ce99c86
Detections:
win_zloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/436355ec-a1f6-4554-9e3a-55d5c38100a8/
SH256 hash:
eb12afe158fd7f4236a98c7c6b686dfe9838c3d986c28b593a54303c68534661
MD5 hash:
7a75045c4c927433aa7258833355c403
SHA1 hash:
c9fb3583b403cc8ed0186971ee300629fd91525f
Link:
https://www.unpac.me/results/436355ec-a1f6-4554-9e3a-55d5c38100a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb12afe158fd7f4236a98c7c6b686dfe9838c3d986c28b593a54303c68534661

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ZLoader

Microsoft Software Installer (MSI) msi 90394647034a0ebfcce39fb61261e2df0cfeddbcc9359cd432e6d800e6af3da6

ZLoader

Executable exe eb12afe158fd7f4236a98c7c6b686dfe9838c3d986c28b593a54303c68534661

(this sample)

  
X
https://twitter.com/nao_sec/status/1370665043906285570
  
Dropped by
SHA256 90394647034a0ebfcce39fb61261e2df0cfeddbcc9359cd432e6d800e6af3da6
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124121/

Comments