Loading ...

Play interactive tourEdit tour

Analysis Report zloader_1.17.0.0.vir

Overview

General Information

Sample Name:zloader_1.17.0.0.vir (renamed file extension from vir to exe)
Analysis ID:247076
MD5:2cddc5e9482b049387c96b609ada8fea
SHA1:c8fb26a5a4776ceb5572c5139d9057a8040f68b8
SHA256:0b37d287d10b55a50f1a717a015503b64d3be3586f15a12a0085d61794864235

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Abnormal high CPU Usage
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains an invalid checksum
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • zloader_1.17.0.0.exe (PID: 4312 cmdline: 'C:\Users\user\Desktop\zloader_1.17.0.0.exe' MD5: 2CDDC5E9482B049387C96B609ADA8FEA)
    • zloader_1.17.0.0.exe (PID: 3788 cmdline: 'C:\Users\user\Desktop\zloader_1.17.0.0.exe' MD5: 2CDDC5E9482B049387C96B609ADA8FEA)
      • explorer.exe (PID: 2016 cmdline: explorer.exe MD5: 499B0D1F6277F17B3BAC525B8717C064)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: zloader_1.17.0.0.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: zloader_1.17.0.0.exeVirustotal: Detection: 81%Perma Link
Source: zloader_1.17.0.0.exeMetadefender: Detection: 56%Perma Link
Source: zloader_1.17.0.0.exeReversingLabs: Detection: 83%
Machine Learning detection for sampleShow sources
Source: zloader_1.17.0.0.exeJoe Sandbox ML: detected
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02C187A3 CryptAcquireContextW,CryptReleaseContext,CryptGetHashParam,CryptHashData,CryptDestroyHash,CryptCreateHash,7_2_02C187A3
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02C214A7 InternetReadFile,WaitForSingleObject,7_2_02C214A7
Source: explorer.exe, 00000007.00000002.887604821.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: http://dolbit.bit/info.php
Source: explorer.exe, 00000007.00000002.887604821.00000000046E9000.00000004.00000001.sdmp, explorer.exe, 00000007.00000002.887319750.0000000002DDA000.00000004.00000020.sdmpString found in binary or memory: http://gerber.gdn/info.php
Source: explorer.exe, 00000007.00000002.887604821.00000000046E9000.00000004.00000001.sdmpString found in binary or memory: http://gerber.gdn/info.php39xew9y6f2iikg4a7hezad8fpxuv8tv1ri4yiqec2a3pnvxvrvugqy2a197mrzki2sdqdgctnh
Source: explorer.exe, 00000007.00000002.887319750.0000000002DDA000.00000004.00000020.sdmpString found in binary or memory: http://gerber.gdn/info.php:
Source: explorer.exe, 00000007.00000002.887243939.0000000002DC3000.00000004.00000020.sdmpString found in binary or memory: http://gerber.gdn/info.phpJ
Source: explorer.exe, 00000007.00000002.887319750.0000000002DDA000.00000004.00000020.sdmpString found in binary or memory: http://gerber.gdn/info.phpO
Source: explorer.exe, 00000007.00000002.887319750.0000000002DDA000.00000004.00000020.sdmpString found in binary or memory: http://gerber.gdn/info.phpZ
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00409166 NtUnmapViewOfSection,NtUnmapViewOfSection,5_2_00409166
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00408D75 NtCreateSection,NtCreateSection,5_2_00408D75
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00408F06 NtMapViewOfSection,NtMapViewOfSection,5_2_00408F06
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00408FC4 NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,5_2_00408FC4
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_004036E45_2_004036E4
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00402FE85_2_00402FE8
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_004065AA5_2_004065AA
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_0040280B5_2_0040280B
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00405E0E5_2_00405E0E
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_004042105_2_00404210
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_004049435_2_00404943
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_004083F05_2_004083F0
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0029C9AA7_2_0029C9AA
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0029CF827_2_0029CF82
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00297F987_2_00297F98
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_002949E97_2_002949E9
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00292FD87_2_00292FD8
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02C183F57_2_02C183F5
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02C1E7577_2_02C1E757
Source: zloader_1.17.0.0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zloader_1.17.0.0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zloader_1.17.0.0.exe, 00000005.00000002.882718651.0000000002D89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs zloader_1.17.0.0.exe
Source: classification engineClassification label: mal68.evad.winEXE@5/0@0/1
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02C1C5C3 CreateToolhelp32Snapshot,FindCloseChangeNotification,Process32FirstW,Process32NextW,7_2_02C1C5C3
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: zloader_1.17.0.0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: zloader_1.17.0.0.exeVirustotal: Detection: 81%
Source: zloader_1.17.0.0.exeMetadefender: Detection: 56%
Source: zloader_1.17.0.0.exeReversingLabs: Detection: 83%
Source: explorer.exeString found in binary or memory: accent-startColorMenu
Source: explorer.exeString found in binary or memory: accent-startColor
Source: explorer.exeString found in binary or memory: themes-installTheme
Source: explorer.exeString found in binary or memory: Windows-StartLayout
Source: explorer.exeString found in binary or memory: /LOADSAVEDWINDOWS
Source: explorer.exeString found in binary or memory: ms-settings:personalization-start
Source: explorer.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0.dll
Source: explorer.exeString found in binary or memory: Microsoft-Windows-Shell-Launcher
Source: unknownProcess created: C:\Users\user\Desktop\zloader_1.17.0.0.exe 'C:\Users\user\Desktop\zloader_1.17.0.0.exe'
Source: unknownProcess created: C:\Users\user\Desktop\zloader_1.17.0.0.exe 'C:\Users\user\Desktop\zloader_1.17.0.0.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeProcess created: C:\Users\user\Desktop\zloader_1.17.0.0.exe 'C:\Users\user\Desktop\zloader_1.17.0.0.exe' Jump to behavior
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
Source: zloader_1.17.0.0.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: explorer.pdbUGP source: zloader_1.17.0.0.exe, 00000005.00000002.881116385.0000000002A4A000.00000004.00000001.sdmp, explorer.exe, 00000007.00000002.883547320.0000000000290000.00000040.00000001.sdmp
Source: Binary string: explorer.pdb source: zloader_1.17.0.0.exe, 00000005.00000002.881116385.0000000002A4A000.00000004.00000001.sdmp, explorer.exe
Source: zloader_1.17.0.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: zloader_1.17.0.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: zloader_1.17.0.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: zloader_1.17.0.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: zloader_1.17.0.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 1_2_00C95410 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,CreateFileA,GetGuiResources,GetSystemTimeAdjustment,GetSystemTimes,GetGuiResources,GetWindowTextLengthA,GetWindowWord,GetWindowTextA,GetProcAddress,LocalAlloc,VirtualProtect,_calloc,GetModuleHandleA,1_2_00C95410
Source: zloader_1.17.0.0.exeStatic PE information: real checksum: 0x46db5 should be: 0x4d082
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 1_2_00C92545 push ecx; ret 1_2_00C92558
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00C92545 push ecx; ret 5_2_00C92558
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0029CF82 pushad ; retn 0046h7_2_0029D015
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00293DC8 pushad ; ret 7_2_00293DD1
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00294146 push eax; ret 7_2_00294149
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02C180A6 push FFFFFFC5h; iretd 7_2_02C180A8
Source: C:\Windows\SysWOW64\explorer.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 1_2_00C927A1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00C927A1
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 1_2_00C95410 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,CreateFileA,GetGuiResources,GetSystemTimeAdjustment,GetSystemTimes,GetGuiResources,GetWindowTextLengthA,GetWindowWord,GetWindowTextA,GetProcAddress,LocalAlloc,VirtualProtect,_calloc,GetModuleHandleA,1_2_00C95410
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00404943 mov eax, dword ptr fs:[00000030h]5_2_00404943
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02C19D6D mov eax, dword ptr fs:[00000030h]7_2_02C19D6D
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_004083F0 GetProcessHeap,GetProcessHeap,5_2_004083F0
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 1_2_00C927A1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00C927A1
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 1_2_00C91000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00C91000
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00C927A1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00C927A1
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 5_2_00C91000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00C91000

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
Sample uses process hollowing techniqueShow sources
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: 290000Jump to behavior
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeProcess created: C:\Users\user\Desktop\zloader_1.17.0.0.exe 'C:\Users\user\Desktop\zloader_1.17.0.0.exe' Jump to behavior
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
Source: zloader_1.17.0.0.exe, 00000005.00000002.881116385.0000000002A4A000.00000004.00000001.sdmp, explorer.exeBinary or memory string: Shell_TrayWnd
Source: explorer.exeBinary or memory string: Progman
Source: zloader_1.17.0.0.exe, 00000005.00000002.881116385.0000000002A4A000.00000004.00000001.sdmp, explorer.exe, 00000007.00000002.883547320.0000000000290000.00000040.00000001.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000007.00000002.887406710.0000000003260000.00000002.00000001.sdmpBinary or memory string: RProgram Managerm
Source: explorer.exe, 00000007.00000002.887406710.0000000003260000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\zloader_1.17.0.0.exeCode function: 1_2_00C95410 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,CreateFileA,GetGuiResources,GetSystemTimeAdjustment,GetSystemTimes,GetGuiResources,GetWindowTextLengthA,GetWindowWord,GetWindowTextA,GetProcAddress,LocalAlloc,VirtualProtect,_calloc,GetModuleHandleA,1_2_00C95410
Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02C16B2C GetVersionExW,7_2_02C16B2C
Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface2Winlogon Helper DLLProcess Injection212Process Injection212Credential DumpingSystem Time Discovery1Remote File Copy1Data from Local SystemData Encrypted1Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Port MonitorsAccessibility FeaturesObfuscated Files or Information1Network SniffingProcess Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through Module Load1Accessibility FeaturesPath InterceptionRootkitInput CaptureSecurity Software Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery4Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.