MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fff929c4f44411e0f8da272f8d1db4593b23acd3c52cf8958792aef9548b4623. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ZLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash: fff929c4f44411e0f8da272f8d1db4593b23acd3c52cf8958792aef9548b4623
SHA3-384 hash: 094d14ca44ef105d62695df8504be1fa7d7f4bec0716debc558b836e6af7ffae342cc139757751d2674ec309b2ef91b6
SHA1 hash: abc6ac9a98360aa065f32e15d0a9293f8aa26e32
MD5 hash: 6aee58b63843a0d73a98a2922092de8a
humanhash: oxygen-grey-twenty-wisconsin
File name:fff929c4f44411e0f8da272f8d1db4593b23acd3c52cf8958792aef9548b4623
Download: download sample
Signature ZLoader
File size:859'480 bytes
First seen:2020-10-04 14:05:53 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 167028cc30b83b679a38cfc09aa25a09 (1 x ZLoader)
ssdeep 6144:XkX7Ahus9knpaHe51x/ZD6KJ02lclcB6BQVnhLbm6BN6BILsWwrdsWhc:0Ehus+5rZDjJ025oQVhX3UjdrdsWy
Threatray 5 similar samples on MalwareBazaar
TLSH 120541249FB37F96C453207BC00F1C7BD5BADE6022A5A906A3D9FB4507B137DA72A142
Reporter @tildedennis
Tags:ZLoader zloader 2


Twitter
@tildedennis
zloader 2 version 1.5.28.0

Intelligence


File Origin
# of uploads :
1
# of downloads :
136
Origin country :
US US
Mail intelligence
Gathering data
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
ZLoader
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Contains VNC / remote desktop functionality (version string found)
Creates autostart registry keys with suspicious values (likely registry only malware)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected ZLoader
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292879 Sample: NUjcht4pZG Startdate: 04/10/2020 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for URL or domain 2->54 56 Antivirus detection for dropped file 2->56 58 8 other signatures 2->58 9 loaddll32.exe 1 2->9         started        12 regsvr32.exe 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 68 Contains functionality to inject code into remote processes 9->68 70 Writes to foreign memory regions 9->70 72 Allocates memory in foreign processes 9->72 16 msiexec.exe 3 42 9->16         started        21 regsvr32.exe 12->21         started        23 regsvr32.exe 14->23         started        process5 dnsIp6 48 fqnvsdaas.su 5.253.60.36, 443, 49748, 49749 DDOS-GUARDRU Russian Federation 16->48 50 fqnesas.ru 16->50 46 C:\Users\user\AppData\Roaming\Rybo\ehvo.dll, PE32 16->46 dropped 60 Creates autostart registry keys with suspicious values (likely registry only malware) 16->60 62 Tries to harvest and steal browser information (history, passwords, etc) 16->62 64 Tries to steal Crypto Currency Wallets 16->64 66 Tries to harvest and steal Bitcoin Wallet information 16->66 25 cmd.exe 1 16->25         started        28 cmd.exe 1 16->28         started        30 cmd.exe 1 16->30         started        file7 signatures8 process9 signatures10 74 Performs a network lookup / discovery via net view 25->74 32 conhost.exe 25->32         started        34 net.exe 1 25->34         started        36 net.exe 1 28->36         started        38 conhost.exe 28->38         started        40 ipconfig.exe 1 30->40         started        42 conhost.exe 30->42         started        process11 process12 44 net1.exe 1 36->44         started       
Threat name:
Win32.Trojan.Ymacco
Status:
Malicious
First seen:
2020-09-29 15:48:18 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
fff929c4f44411e0f8da272f8d1db4593b23acd3c52cf8958792aef9548b4623
MD5 hash:
6aee58b63843a0d73a98a2922092de8a
SHA1 hash:
abc6ac9a98360aa065f32e15d0a9293f8aa26e32
SH256 hash:
76f0c929b84a712113ccbc329013739394f5e5ae428694f5a69db3bc74dc258d
MD5 hash:
487027f268b579a5d454e2c5972ecbf0
SHA1 hash:
e9caff5b3bca1bb8fbfee246e518b6ebd0d52328
Detections:
win_zloader_auto

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:win_zloader_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments