MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1b22c0b6c144d82a0e470b2c6a649135a4f212ade39c8135e0273ec100ff34c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1b22c0b6c144d82a0e470b2c6a649135a4f212ade39c8135e0273ec100ff34c
SHA3-384 hash: 20a3ab6bb364598634b255e26f9a390242e1c975527ec002479c2c871349a9f4c52c17cc9b29d0e87d5fe13e24e3e9cd
SHA1 hash: 8a2da6f5d328fb74a81cb27ae11ae8a38b90c94a
MD5 hash: df6e9f773d2aa38d0c17081208ac1aa6
humanhash: stairway-romeo-carpet-india
File name:1386953.dll
Download: download sample
Signature ZLoader
Create hunting rule
File size:452'664 bytes
First seen:2021-03-20 02:36:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 03f69f5025d3e57877e7a31083a76630 (1 x ZLoader)
ssdeep 12288:qku5MDgs59bjz7nu8yQlt6HjdsYy909M:qku5MDgs59r7nu8yiYymM
Threatray 69 similar samples on MalwareBazaar
TLSH F7A4AE729E7BE035DA62883044FB67D35ABB797124FCF1933E0719319638693DBA1608
Reporter nao_sec
Tags:SpelevoEK ZLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1386953.exe
Verdict:
Malicious activity
Analysis date:
2021-03-20 02:20:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c40262f-0340-4016-bba1-53cbf64ff501

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Zloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125737/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.13201.6108.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Delayed reading of the file
Delayed writing of the file
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/28fdbf11-f3ee-4ea3-b9eb-0f8158155644
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/646711
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372323 Sample: 1386953.dll Startdate: 20/03/2021 Architecture: WINDOWS Score: 56 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 31 PE file has a writeable .text section 2->31 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 1 8->12         started        14 regsvr32.exe 8->14         started        process5 16 iexplore.exe 2 83 10->16         started        process6 18 iexplore.exe 5 155 16->18         started        dnsIp7 21 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49737, 49738 YAHOO-DEBDE United Kingdom 18->21 23 prod.appnexus.map.fastly.net 151.101.1.108, 443, 49743, 49744 FASTLYUS United States 18->23 25 12 other IPs or domains 18->25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1b22c0b6c144d82a0e470b2c6a649135a4f212ade39c8135e0273ec100ff34c/
Threat name:
Win32.Downloader.ZLoader
Create hunting rule
Status:
Malicious
First seen:
2021-03-20 00:48:12 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
0d1774171175d150cc859a71fc56cd6a8132c9c679d3bd5c7f065126ed2a071e
ZLoader
3f1f00054377124affd8fb24f61b9a670858cc44282ffcf0341907f9dbcf1d51
ZLoader
481af12b4e027b76b68c817c3cb806291f52042d3b5dce2e9f073408f596e206
ZLoader
8895213de00492d3755473bdc57627cdd9d90189b043f2a3dc7ae948d589eb1d
ZLoader
959a3cd5e58c2bbbb4a5179e658f6193fd6cf8d5d5384b4e6dca12fa7cbc2c74
ZLoader
9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b
ZLoader
a7f441793b5703b349ebb2509b6af1cdfdd8023d8e56f1f9a57b9d74e69bd9a9
ZLoader
b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2
ZLoader
cbf6848b72b118e090953347982de71cfe1510dfdc4affdb1ee4d5d62af428d6
ZLoader
dbc2e7788019f8b0959377fa9e0f3d41d0db82445799721d1d77c583ac793e9a
ZLoader
+ 59 additional samples on MalwareBazaar
Result
Malware family:
zloader
Create hunting rule
Score:
  10/10
Tags:
family:zloader botnet:googleaktualizacija campaign:googleaktualizacija2 botnet trojan
Link:
https://tria.ge/reports/210320-xmf35ap57n/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Zloader, Terdot, DELoader, ZeusSphinx
Malware Config
C2 Extraction:
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Unpacked files
SH256 hash:
f1b22c0b6c144d82a0e470b2c6a649135a4f212ade39c8135e0273ec100ff34c
MD5 hash:
df6e9f773d2aa38d0c17081208ac1aa6
SHA1 hash:
8a2da6f5d328fb74a81cb27ae11ae8a38b90c94a
Link:
https://www.unpac.me/results/0004e86d-fc7c-4081-9022-e9c9dbbaae39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1b22c0b6c144d82a0e470b2c6a649135a4f212ade39c8135e0273ec100ff34c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/nao_sec/status/1373100983887142914
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/125737/

Comments