MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6c6a59c54373d9a49e7a5a7aa859d6bda9f5826e4bb652f5898fa78c8748f39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: f6c6a59c54373d9a49e7a5a7aa859d6bda9f5826e4bb652f5898fa78c8748f39
SHA3-384 hash: 58820f9550062b23aff6cf3517fe2b90c70926bc3eaa8da6de54eab53c103aac0df2d8cb910a5a32c92e6c0f9f2d5c9b
SHA1 hash: e4e520c3ae68ab2ed566d1f090ef0dc5c8003b0e
MD5 hash: 8211a69a3a068265e8b9ab03e4546581
humanhash: sodium-lake-cup-fix
File name:zloader_1.8.0.0.vir
Download: download sample
Signature ZLoader
File size:3'479'552 bytes
First seen:2020-07-19 19:29:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:o+Pz83hAabqVkI1khR9TiRCXtbzhRA13mY7QIm0wpSdJ3W+YuBXlLVAAZkHRIm5C:pihpqV11iRtg3QImoPTFBk/5Njoy
TLSH 56F523D1ED364CA8C26FC9F6A0E0015FAF98F961CCDCE055CA23E8D5E160ABD75691B0
Reporter @tildedennis
Tags:ZLoader


Twitter
@tildedennis
zloader version 1.8.0.0

Intelligence


File Origin
# of uploads :
1
# of downloads :
19
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
ZeusVM
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247331 Sample: zloader_1.8.0.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 3 other signatures 2->59 9 zloader_1.8.0.0.exe 2->9         started        process3 dnsIp4 37 1.8.0.0 CLOUDFLARENETUS China 9->37 75 Maps a DLL or memory area into another process 9->75 77 Sample uses process hollowing technique 9->77 13 explorer.exe 9->13         started        signatures5 process6 signatures7 87 Detected ZeusVM e-Banking Trojan 13->87 89 Contains functionality to inject threads in other processes 13->89 91 Injects code into the Windows Explorer (explorer.exe) 13->91 93 4 other signatures 13->93 16 explorer.exe 6 7 13->16 injected process8 file9 33 C:\Users\user\AppData\Roaming\...\udgeu.exe, PE32 16->33 dropped 35 C:\Users\user\...\udgeu.exe:Zone.Identifier, data 16->35 dropped 45 Benign windows process drops PE files 16->45 47 Injects code into the Windows Explorer (explorer.exe) 16->47 49 Deletes itself after installation 16->49 51 4 other signatures 16->51 20 udgeu.exe 16->20         started        23 udgeu.exe 16->23         started        25 msiexec.exe 12 16->25         started        signatures10 process11 dnsIp12 61 Antivirus detection for dropped file 20->61 63 Multi AV Scanner detection for dropped file 20->63 65 Machine Learning detection for dropped file 20->65 28 explorer.exe 20->28         started        67 Maps a DLL or memory area into another process 23->67 69 Sample uses process hollowing technique 23->69 31 explorer.exe 23->31         started        39 xowxlitqhrhffcmg.com 208.100.26.245, 443, 49716, 49717 STEADFASTUS United States 25->39 41 gn01.indvshid.com 25->41 43 ugqdfaquwqtrgmjx.com 85.214.228.140, 443, 49722, 49723 STRATOSTRATOAGDE Germany 25->43 71 Detected ZeusVM e-Banking Trojan 25->71 73 Contains functionality to inject threads in other processes 25->73 signatures13 process14 signatures15 79 Writes to foreign memory regions 28->79 81 Allocates memory in foreign processes 28->81 83 Creates a thread in another existing process (thread injection) 28->83 85 Injects a PE file into a foreign processes 31->85
Threat name:
Win32.Trojan.Invader
Status:
Malicious
First seen:
2016-08-24 07:43:00 UTC
AV detection:
26 of 44 (59.09%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Deletes itself
Reads user/profile data of web browsers
Blacklisted process makes network request
Blacklisted process makes network request
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments