rule zloader { meta: category_type = "Trojan" family = "Zloader" threat_name = "Windows.Trojan.Zloader" author = "Felix Bilstein" source = "Malpedia" license = "CC BY-SA 4.0" description = "ZLoader" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader" reference = "https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/parsers/mwcp/Zloader.py" hash = "69710e08b572faca056f4410a545aae0" type = "malware.loader" created = "2021-05-04" os = "Windows" tlp = "clear" rev = 1 strings: $decrypt_conf = { e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 08 e8 ?? ?? ?? ?? } $sequence_0 = { 51 56 50 68 01 00 00 80 } $sequence_1 = { 83 c4 08 8d 4d f0 6a 00 51 6a 01 } $sequence_2 = { 83 c4 0c 53 57 56 e8 ?? ?? ?? ?? 81 c4 10 01 00 00 5e } $sequence_3 = { 89 e5 56 8b 75 08 ff 36 e8 ?? ?? ?? ?? 83 c4 04 } $sequence_4 = { ff 75 18 8d 75 e4 56 ff 75 10 ff 75 0c ff 75 08 } $sequence_5 = { 89 c6 56 53 57 e8 ?? ?? ?? ?? } $sequence_6 = { 83 c4 08 84 c0 74 66 ff 35 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 04 84 c0 } $sequence_7 = { 51 e8 ?? ?? ?? ?? 83 c4 08 a8 01 } $sequence_8 = { 56 50 a1 ?? ?? ?? ?? 89 c1 } $sequence_9 = { 89 e5 53 57 56 50 8b 45 10 31 db } $sequence_10 = { 50 56 56 56 ff 75 14 } $sequence_11 = { 5e c3 56 57 8b 7c 24 14 83 ff ff 75 0c } $sequence_12 = { 7c f5 5f c6 04 30 00 5e c3 56 } $sequence_13 = { 5e 8b c3 5b c3 8b 44 24 0c 83 f8 ff } $sequence_14 = { 68 ?? ?? ?? ?? ff 74 24 08 e8 ?? ?? ?? ?? 59 59 84 c0 } $sequence_15 = { 59 84 c0 74 32 68 ?? ?? ?? ?? ff 74 24 08 } $sequence_16 = { c7 46 04 88 13 00 00 c7 46 24 01 00 00 00 c7 46 28 00 00 40 01 e8 ?? ?? ?? ?? 89 46 0c } $sequence_17 = { 50 89 54 24 44 e8 ?? ?? ?? ?? 03 c0 66 89 44 24 38 8b 44 24 38 } $sequence_18 = { e8 ?? ?? ?? ?? 83 c4 14 c3 8b 54 24 04 85 d2 75 03 33 c0 } $sequence_19 = { 6a ff 50 e8 ?? ?? ?? ?? 8d 85 7c ff ff ff 50 } $sequence_20 = { 83 c4 08 5e 5d c3 55 89 e5 57 } $sequence_21 = { 83 c4 14 c3 56 ff 74 24 10 } $sequence_22 = { 99 52 50 8d 44 24 3c 99 52 50 } $sequence_23 = { 81 c4 a8 02 00 00 5e 5f 5b } $sequence_24 = { 66 89 44 24 38 8b 44 24 38 83 c0 02 66 89 44 24 3a } $sequence_25 = { 57 56 83 ec 20 e8 ?? ?? ?? ?? } $sequence_26 = { 55 bd 00 00 00 01 39 2b 74 04 } $sequence_27 = { 33 c9 03 c7 13 cb 89 45 f8 89 4d fc } $sequence_28 = { 8d 74 24 10 89 b4 24 30 01 00 00 8b 84 24 30 01 00 00 8b 84 24 30 01 00 00 89 04 24 c7 44 24 04 1c 01 00 00 e8 ?? ?? ?? ?? } $sequence_29 = { e9 ?? ?? ?? ?? 31 c0 83 c4 0c 5e } $sequence_30 = { 5d c3 51 64 a1 30 00 00 00 } $sequence_31 = { 57 50 e8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 e8 ?? ?? ?? ?? 8b f0 } $sequence_32 = { 33 db 68 ?? ?? ?? ?? 68 80 00 00 00 50 e8 ?? ?? ?? ?? 83 c4 10 } $sequence_33 = { e8 ?? ?? ?? ?? ff 75 08 8d 85 f0 fd ff ff 68 ?? ?? ?? ?? 68 04 01 00 00 } $sequence_34 = { 56 68 ?? ?? ?? ?? ff 74 24 10 e8 ?? ?? ?? ?? 68 23 af 29 30 56 ff 74 24 10 } $sequence_35 = { 57 ff 75 0c 33 db 68 ?? ?? ?? ?? } $sequence_36 = { 5d 5b c3 8b c2 eb f7 8d 44 24 10 50 } $sequence_37 = { 5b c3 8b c2 eb f8 53 8b 5c 24 0c } $sequence_38 = { c3 56 8b 74 24 08 68 04 01 00 00 68 ?? ?? ?? ?? } $sequence_39 = { 50 6a 72 e8 ?? ?? ?? ?? 59 } condition: uint16(0) == 0x5A4D and filesize < 1105920 and 7 of ($sequence_*) and $decrypt_conf }