Overview

overview

10

Static

static

10

nocrypt.dll

windows7_x64

10

nocrypt.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nocrypt.dll

  • Size

    156KB

  • Sample

    200828-qdptx5mqma

  • MD5

    388cc3b6cd3ae537f404e235556d78ad

  • SHA1

    2a41fdcb1e82af69fc6c41d572039204b16e43dd

  • SHA256

    63f29f078acebb36b44d7875c4a54ec051736481ee85898a2ad7e28e2fe1dc08

  • SHA512

    5edc123da2507e2bac2c642bce8b7654bc0c69c792cd1523dcc6766754220109040de2a2197a0314a47f0560cbd593a3f80606959654329b3af1af2de12584f2

Score
10/10
zloadernut14/08botnetpersistencespywaretrojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

14/08

C2

https://girldowcahohorme.tk/wp-parsing.php

http://thegamegolfmagazine.com/wp-parsing.php

http://truvaluconsulting.com/wp-parsing.php

https://blog2.textbookrush.com/wp-parsing.php

https://curiosidadez.com.br/wp-parsing.php

https://nonchothetohear.cf/wp-parsing.php

https://sicupira8.com.br/wp-parsing.php

https://titaniumgamers.com/wp-parsing.php
rc4.plain
rsa_pubkey.plain

Targets

    • Target

      nocrypt.dll

    • Size

      156KB

    • MD5

      388cc3b6cd3ae537f404e235556d78ad

    • SHA1

      2a41fdcb1e82af69fc6c41d572039204b16e43dd

    • SHA256

      63f29f078acebb36b44d7875c4a54ec051736481ee85898a2ad7e28e2fe1dc08

    • SHA512

      5edc123da2507e2bac2c642bce8b7654bc0c69c792cd1523dcc6766754220109040de2a2197a0314a47f0560cbd593a3f80606959654329b3af1af2de12584f2

    Score
    10/10
    trojanbotnetzloaderpersistencespyware

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Blacklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks