MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec9668cae1c65020021d2c633b68286944f1e6b1ddf5183d40ef823607e29cba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: ec9668cae1c65020021d2c633b68286944f1e6b1ddf5183d40ef823607e29cba
SHA3-384 hash: 8c740d616dbdcfd2f5ee6a30070ee1a1602179b858258492f52883961d3d549933c56851b7e54f93058e8ab5e120903f
SHA1 hash: 46ddf35b6ad2596d0fc666701fac599bc1f7b534
MD5 hash: 06cbf262293eb6689ce5d2e61c494f7a
humanhash: mobile-fanta-violet-table
File name:zloader 2_1.1.19.0.vir
Download: download sample
Signature ZLoader
File size:286'720 bytes
First seen:2020-07-19 19:26:16 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash bd41a0766190615f7dee2a4107350f40
ssdeep 6144:bdmrpMj8x8kqJecJqlUsQ2LN1AN4ygJl3prO7B/N8hLQlpq2jJt:B+78ks7Jq2sQ2LN1sQl5rO1yAcw
TLSH 0554F131FA88B978D4541A788D34D6E198247C80CF70858B7BFB3E9FBA3D5844D64B26
Reporter @tildedennis
Tags:ZLoader zloader 2


Twitter
@tildedennis
zloader 2 version 1.1.19.0

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
ZLoader
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247291 Sample: zloader 2_1.1.19.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 32 dhteijwrb.host 2->32 34 aquolepp.pw 2->34 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 4 other signatures 2->46 8 loaddll32.exe 1 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        signatures3 process4 dnsIp5 36 1.1.19.0 CLOUDFLARENETUS China 8->36 15 rundll32.exe 8->15         started        18 rundll32.exe 8->18         started        20 rundll32.exe 8->20         started        22 rundll32.exe 11->22         started        24 rundll32.exe 13->24         started        process6 signatures7 48 Contains functionality to inject code into remote processes 15->48 50 Writes to foreign memory regions 15->50 52 Allocates memory in foreign processes 15->52 26 msiexec.exe 3 25 15->26         started        process8 dnsIp9 38 dhteijwrb.host 26->38 30 C:\Users\user\AppData\...\apoffozy.dll, PE32 26->30 dropped file10
Threat name:
Win32.Trojan.Com
Status:
Malicious
First seen:
2020-03-14 02:05:57 UTC
AV detection:
21 of 31 (67.74%)
Threat level
  2/5
Result
Malware family:
zloader
Score:
  10/10
Tags:
trojan botnet family:zloader persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
Extraction:
https://aquolepp.pw/milagrecf.php
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments