{
	"id": "fa772b7c-6d1e-4631-8e27-c0b6420fcbea",
	"created_at": "2026-04-06T00:06:35.987929Z",
	"updated_at": "2026-04-10T03:21:41.334012Z",
	"deleted_at": null,
	"sha1_hash": "206870a8cfd2ebb685d9a6872007210f9f68a647",
	"title": "Zloader | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1673974,
	"plain_text": "Zloader | ThreatLabz\r\nBy ThreatLabz\r\nPublished: 2024-04-29 · Archived: 2026-04-05 12:56:42 UTC\r\nTechnical Analysis\r\nIn the upcoming sections, we explore the technical intricacies of Zloader's latest anti-analysis feature introduced in\r\nversions 2.4.1.0 and 2.5.1.0. We also draw comparisons to Zeus to provide a comprehensive understanding of their\r\nrespective approaches.\r\nRegistry check\r\nZloader samples with versions greater than 2.4.1.0 will abruptly terminate if they are copied and executed on\r\nanother system after the initial infection. This is due to a Windows registry check for the presence of a specific\r\nkey and value.\r\nThe screenshot below shows the Windows Registry check failing in a malware sandbox.\r\nFigure 1: Registry key check performed in a sandbox.\r\nThe registry key and value are generated based on a hardcoded seed that is different for each sample.\r\nThe Python code below replicates the algorithm to generate the registry key.\r\n#!/usr/bin/env python3\r\nSEED = 0x1C5EE76F0FE82329\r\ndef calculate_registry_key(seed):\r\n key = \"\"\r\n key_length = 1 + seed % 8\r\n \r\n if key_length \u003e (64 - 8))) \u0026 0xffffffffffffffff) + 1\r\n \r\n key = key.capitalize()\r\n return key\r\nprint(calculate_registry_key(SEED))\r\nhttps://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks\r\nPage 1 of 6\n\nIf the registry key/value pair is manually created (or this check is patched), Zloader will successfully inject itself\r\ninto a new process. However, it will terminate again after executing only a few instructions. This is due to a\r\nsecondary check in Zloader’s MZ header.\r\nMZ header check\r\nA bit further in the code, there is an additional check that involves a DWORD present in the MZ header at the offset\r\n0x30, which is only executed after being injected into a new process. The DWORD used in the check of the\r\nanalyzed sample can be seen in the image below.\r\nFigure 2: MZ header with random DWORD at 0x30 offset.\r\nThe DWORD at the 0x30 offset is part of the ten reserved WORDs that go from offset 0x28 to offset 0x3C of the\r\nMZ header. These bytes are usually null . However, in the example above, the malware contained an integer\r\nvalue (0xAAD01244), which is compared with the file size (0x29A00). Since this integer is a very large number,\r\nthe check fails. The decompiled code of the file size check is shown in the figure below.\r\nFigure 3: Decompiled code of the file size check against the MZ DWORD .\r\nWhat the malware developers are doing here is utilizing the additional MZ header DWORD as a pointer to the\r\nseed's offset, which explains the purpose of the check. This is due to the DWORD being overwritten after the initial\r\nexecution. If the pointer points beyond the binary, it indicates that the seed has already been written, eliminating\r\nthe need for reinitialization.\r\nThis suggests that the initial binary for system infection must include a null seed, with the MZ DWORD at 0x30\r\nholding the seed’s offset. Subsequently, this offset is initialized with a pseudo-random QWORD generated via the\r\nMersenne Twister algorithm, leaving a hardcoded seed that differs per infected sample.\r\nhttps://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks\r\nPage 2 of 6\n\nThe figure below shows the decompiled code where the seed is being generated and written. \r\nFigure 4: Decompiled code where the seed is first created.\r\nWithout the seed and MZ header values set correctly, the Zloader sample won’t run or install on a different\r\nmachine, unless it is patched or if the environment is replicated with all the registry and disk paths/names,\r\nalongside all the original artifacts from the original victim’s machine.\r\nRegistry value content\r\nIn previous versions of Zloader, there was a single registry key and value containing some machine information\r\n(install path, computer/bot ID, victim-specific RC4 key, etc.), similar to the Zeus PeSettings we will examine in\r\nthe next section. The key/value pair was encrypted with the Zeus VisualEncrypt algorithm and RC4, using the\r\nRSA key present in the static configuration as the key, but it wasn’t used to avoid infecting a new machine, as it\r\nwas created again when executed in a different environment.\r\nNow, there is an additional value created using the seed previously mentioned.\r\nThe figure below shows the registry keys and values added to the victim’s system during the infection process.\r\nFigure 5: Registry keys and values added when infecting the machine.\r\nThe content has a fixed length of 1,418 bytes and is encrypted with RC4, but without the additional\r\nVisualEncrypt layer. The RC4 key is also based on the seed generated while performing the infection, which is\r\nthen used to create the names of the registry key and value.\r\nThe decrypted format and content are as follows:\r\n00000000 41 00 64 00 6f 00 62 00 65 00 5c 00 49 00 6e 00 |A.d.o.b.e.\\.I.n.|\r\n00000010 66 00 72 00 61 00 42 00 61 00 73 00 65 00 2e 00 |f.r.a.B.a.s.e...|\r\n00000020 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 |e.x.e...........|\r\n00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000040 57 00 61 00 62 00 75 00 75 00 5c 00 45 00 66 00 |W.a.b.u.u.\\.E.f.|\r\n00000050 79 00 63 00 79 00 64 00 6d 00 61 00 00 00 00 00 |y.c.y.d.m.a.....|\r\n00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\nhttps://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks\r\nPage 3 of 6\n\n00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000080 57 00 61 00 62 00 75 00 75 00 5c 00 47 00 65 00 |W.a.b.u.u.\\.G.e.|\r\n00000090 78 00 61 00 6e 00 69 00 00 00 00 00 00 00 00 00 |x.a.n.i.........|\r\n000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000000c0 57 00 61 00 62 00 75 00 75 00 5c 00 4c 00 6f 00 |W.a.b.u.u.\\.L.o.|\r\n000000d0 6b 00 61 00 79 00 6c 00 62 00 6f 00 00 00 00 00 |k.a.y.l.b.o.....|\r\n000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000100 57 00 61 00 62 00 75 00 75 00 5c 00 47 00 79 00 |W.a.b.u.u.\\.G.y.|\r\n00000110 79 00 70 00 6b 00 00 00 00 00 00 00 00 00 00 00 |y.p.k...........|\r\n00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000140 57 00 61 00 62 00 75 00 75 00 5c 00 45 00 71 00 |W.a.b.u.u.\\.E.q.|\r\n00000150 71 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 |q.a.............|\r\n00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000180 57 00 61 00 62 00 75 00 75 00 5c 00 59 00 77 00 |W.a.b.u.u.\\.Y.w.|\r\n00000190 77 00 75 00 00 00 00 00 00 00 00 00 00 00 00 00 |w.u.............|\r\n000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000001c0 57 00 61 00 62 00 75 00 75 00 5c 00 49 00 76 00 |W.a.b.u.u.\\.I.v.|\r\n000001d0 76 00 65 00 64 00 00 00 00 00 00 00 00 00 00 00 |v.e.d...........|\r\n000001e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000200 57 00 61 00 62 00 75 00 75 00 5c 00 48 00 61 00 |W.a.b.u.u.\\.H.a.|\r\n00000210 6b 00 6f 00 67 00 69 00 00 00 00 00 00 00 00 00 |k.o.g.i.........|\r\n00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000240 59 00 66 00 6f 00 77 00 76 00 6f 00 5c 00 46 00 |Y.f.o.w.v.o.\\.F.|\r\n00000250 75 00 76 00 61 00 61 00 71 00 00 00 00 00 00 00 |u.v.a.a.q.......|\r\n00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000280 59 00 66 00 6f 00 77 00 76 00 6f 00 5c 00 4d 00 |Y.f.o.w.v.o.\\.M.|\r\n00000290 79 00 6c 00 75 00 6b 00 00 00 00 00 00 00 00 00 |y.l.u.k.........|\r\n000002a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000002c0 59 00 66 00 6f 00 77 00 76 00 6f 00 5c 00 45 00 |Y.f.o.w.v.o.\\.E.|\r\n000002d0 73 00 6e 00 6f 00 00 00 00 00 00 00 00 00 00 00 |s.n.o...........|\r\n000002e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n0000058A\r\nThe structure is divided into 64 bytes for each entry. The first structure is the binary path inside %APPDATA% , and\r\nthe following are the Zloader modules.\r\nZeus implementation\r\nhttps://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks\r\nPage 4 of 6\n\nIt’s been thirteen years since the Zeus 2.0.8 source code was leaked, but it is still widely leveraged by threat actors\r\nand some of its concepts are still relevant. The technique described in the section above, and used by Zloader to\r\nstore the installation information and avoid being run on a different system, was also performed by Zeus v2, but\r\nimplemented in a different way.\r\nIn Zeus, the binary had an overlay section called PeSettings , where the installation information was stored\r\ninstead of in the registry. The encrypted Zeus overlay section is shown in the figure below.\r\nFigure 6: The encrypted Zeus overlay section.\r\nThe header of this section is decrypted with the RC4 key present in the static config. The figure below shows the\r\nZeus section header.\r\nFigure 7: Zeus overlay section header.\r\nThe decrypted header is composed of three DWORDs :\r\nMagic word ( DAVE )\r\nCRC32 of the data\r\nSize of the data\r\nIf the size of the data is equal to 0xC, it means the trojan is not installed and will proceed with the infection to\r\ngenerate all the required information, such as the computer/bot ID, install paths, and machine-specific RC4 key,\r\nwhich is generated per install and stored as an initialized RC4 S-box.\r\nThen, Zeus will encrypt the PeSettings again and replace the overlay data with it, while changing the header\r\nCRC and data size DWORDs .\r\nhttps://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks\r\nPage 5 of 6\n\nBelow you can see the PeSettings structure in its decrypted form:\r\n00000000 e6 01 00 00 41 00 44 00 4d 00 49 00 4e 00 2d 00 |....A.D.M.I.N.-.|\r\n00000010 50 00 43 00 5f 00 45 00 35 00 33 00 32 00 36 00 |P.C._.E.5.3.2.6.|\r\n00000020 34 00 38 00 41 00 34 00 34 00 43 00 43 00 37 00 |4.8.A.4.4.C.C.7.|\r\n00000030 46 00 31 00 43 00 00 00 00 00 00 00 00 00 00 00 |F.1.C...........|\r\n00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000070 00 00 00 00 00 00 00 00 00 00 00 00 e4 50 d2 69 |.............P.i|\r\n00000080 18 6c e3 11 b3 bc 80 6e 6f 6e 69 63 01 89 b5 78 |.l.....nonic...x|\r\n00000090 79 63 ae 4b f3 14 94 9a ab db c2 be 09 32 df 16 |yc.K.........2..|\r\n000000a0 bc a3 0a 33 57 6f 49 e5 21 62 c6 5f 12 e2 97 25 |...3WoI.!b._...%|\r\n000000b0 87 55 b7 a0 da a8 67 36 29 dc 08 f1 8a 6d c9 e8 |.U....g6)....m..|\r\n000000c0 91 13 90 54 6b 8f 2b 5e 68 46 9b 9e 69 80 e4 76 |...Tk.+^hF..i..v|\r\n000000d0 88 85 cc bd bb 40 ce 10 6a 71 75 5d 93 dd 4d 07 |.....@..jqu]..M.|\r\n000000e0 92 7e ba 61 ad 1d 34 f6 ac 98 a5 af 59 86 3d 27 |.~.a..4.....Y.='|\r\n000000f0 5c 38 b6 c7 aa c0 9c 52 d0 64 77 5a 3e 8e fe 0d |\\8.....R.dwZ\u003e...|\r\n00000100 7f bf 1b 20 f8 00 a4 6c 45 3b 41 8d 81 05 e6 d4 |... ...lE;A.....|\r\n00000110 f9 e3 9f 02 37 b1 d9 60 ef 83 1f e9 cd a2 17 8c |....7..`........|\r\n00000120 2c c4 c1 15 65 4c d5 8b ca 3c 26 1e ec 6e 30 d8 |,...eL...\r\nWhen trying to run a sample that’s already installed, it will generate the computer/bot ID, and if it doesn’t match\r\nwith the one stored in the PeSettings , Zeus will exit. The same thing occurs if the install paths don’t match.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks\r\nhttps://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks"
	],
	"report_names": [
		"zloader-learns-old-tricks"
	],
	"threat_actors": [],
	"ts_created_at": 1775433995,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/206870a8cfd2ebb685d9a6872007210f9f68a647.pdf",
		"text": "https://archive.orkl.eu/206870a8cfd2ebb685d9a6872007210f9f68a647.txt",
		"img": "https://archive.orkl.eu/206870a8cfd2ebb685d9a6872007210f9f68a647.jpg"
	}
}