MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6c6a59c54373d9a49e7a5a7aa859d6bda9f5826e4bb652f5898fa78c8748f39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6c6a59c54373d9a49e7a5a7aa859d6bda9f5826e4bb652f5898fa78c8748f39
SHA3-384 hash: 58820f9550062b23aff6cf3517fe2b90c70926bc3eaa8da6de54eab53c103aac0df2d8cb910a5a32c92e6c0f9f2d5c9b
SHA1 hash: e4e520c3ae68ab2ed566d1f090ef0dc5c8003b0e
MD5 hash: 8211a69a3a068265e8b9ab03e4546581
humanhash: sodium-lake-cup-fix
File name:zloader_1.8.0.0.vir
Download: download sample
Signature ZLoader
Create hunting rule
File size:3'479'552 bytes
First seen:2020-07-19 19:29:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:o+Pz83hAabqVkI1khR9TiRCXtbzhRA13mY7QIm0wpSdJ3W+YuBXlLVAAZkHRIm5C:pihpqV11iRtg3QImoPTFBk/5Njoy
Threatray 180 similar samples on MalwareBazaar
TLSH 56F523D1ED364CA8C26FC9F6A0E0015FAF98F961CCDCE055CA23E8D5E160ABD75691B0
Reporter tildedennis
Tags:ZLoader


Avatar
tildedennis
zloader version 1.8.0.0

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28215/
Detection(s):
SecuriteInfo.com.Downloader.Generic14.BEBV.20352.25722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
ZeusVM
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390297
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247331 Sample: zloader_1.8.0.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 3 other signatures 2->59 9 zloader_1.8.0.0.exe 2->9         started        process3 dnsIp4 37 1.8.0.0 CLOUDFLARENETUS China 9->37 75 Maps a DLL or memory area into another process 9->75 77 Sample uses process hollowing technique 9->77 13 explorer.exe 9->13         started        signatures5 process6 signatures7 87 Detected ZeusVM e-Banking Trojan 13->87 89 Contains functionality to inject threads in other processes 13->89 91 Injects code into the Windows Explorer (explorer.exe) 13->91 93 4 other signatures 13->93 16 explorer.exe 6 7 13->16 injected process8 file9 33 C:\Users\user\AppData\Roaming\...\udgeu.exe, PE32 16->33 dropped 35 C:\Users\user\...\udgeu.exe:Zone.Identifier, data 16->35 dropped 45 Benign windows process drops PE files 16->45 47 Injects code into the Windows Explorer (explorer.exe) 16->47 49 Deletes itself after installation 16->49 51 4 other signatures 16->51 20 udgeu.exe 16->20         started        23 udgeu.exe 16->23         started        25 msiexec.exe 12 16->25         started        signatures10 process11 dnsIp12 61 Antivirus detection for dropped file 20->61 63 Multi AV Scanner detection for dropped file 20->63 65 Machine Learning detection for dropped file 20->65 28 explorer.exe 20->28         started        67 Maps a DLL or memory area into another process 23->67 69 Sample uses process hollowing technique 23->69 31 explorer.exe 23->31         started        39 xowxlitqhrhffcmg.com 208.100.26.245, 443, 49716, 49717 STEADFASTUS United States 25->39 41 gn01.indvshid.com 25->41 43 ugqdfaquwqtrgmjx.com 85.214.228.140, 443, 49722, 49723 STRATOSTRATOAGDE Germany 25->43 71 Detected ZeusVM e-Banking Trojan 25->71 73 Contains functionality to inject threads in other processes 25->73 signatures13 process14 signatures15 79 Writes to foreign memory regions 28->79 81 Allocates memory in foreign processes 28->81 83 Creates a thread in another existing process (thread injection) 28->83 85 Injects a PE file into a foreign processes 31->85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6c6a59c54373d9a49e7a5a7aa859d6bda9f5826e4bb652f5898fa78c8748f39/
Threat name:
Win32.Trojan.Invader
Create hunting rule
Status:
Malicious
First seen:
2016-08-24 07:43:00 UTC
AV detection:
31 of 48 (64.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=63dklhcug46zusphuwt2vbm5npnj6wbg4s5wkl2ytd5hrsdur44q._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
41b0a4eba05ad382e109d412680e4a5a636cbc7dc6928c5de923d689f070ece4
ZLoader
5003a820820a43883c42918e8ca0ad6605417ed61b2645b35c068b396c44ecc9
ZLoader
6f4b543bdd425e2cb35fcc06f79dfac486985ae0d84133c34e0fd01b3a2c22bb
ZLoader
7ab6936ad40377ecea070401a55ef15033c9ee2e441a2aaa0dc963a081502761
ZLoader
99d9cdc246bf28881b009ae71b1611c83397b23b5adf5b3746f51a5a2903ec24
ZLoader
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
ZLoader
c6035dfd95b359f00bc421c50365c58f55ffee88ff1f4223cad9d8fd4f9879a7
ZLoader
d17e19456065af5ffa92cfe5b41e6dbb9b6d070b68ca33ce6473ed4c13599e0e
ZLoader
f14d7b35ccb962517c7657f064f0259f4fef55c53c77bfebc8ee360f642b7842
ZLoader
fcb6176fe71dbce1d5474b52e65726dfd4687c6b72f31e7099ac5d79328f681e
ZLoader
+ 170 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200719-k5n696121j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Deletes itself
Reads user/profile data of web browsers
Blacklisted process makes network request
Blacklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6c6a59c54373d9a49e7a5a7aa859d6bda9f5826e4bb652f5898fa78c8748f39

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/zloader/
Cape
Cape
https://www.capesandbox.com/analysis/28215/

Comments