General

  • Size

    310KB

  • Sample

    201029-sfamlcy2aj

  • MD5

    cd1f5e41d727816c6ca5e6c073130df4

  • SHA1

    5d9a72b2b721aa7834d3f3bb07225ce48d4bc3fb

  • SHA256

    a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc

  • SHA512

    4f88ce58d61fa0eb4fc8ad2ce068a3044bcc7f205819cab5c39a998147f034869994c849ee022b487d3708d62167cc766d406e4310d301be1e51b1b1a7f3c588

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      ebook_29.10.20.exe

    • Size

      310KB

    • MD5

      cd1f5e41d727816c6ca5e6c073130df4

    • SHA1

      5d9a72b2b721aa7834d3f3bb07225ce48d4bc3fb

    • SHA256

      a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc

    • SHA512

      4f88ce58d61fa0eb4fc8ad2ce068a3044bcc7f205819cab5c39a998147f034869994c849ee022b487d3708d62167cc766d406e4310d301be1e51b1b1a7f3c588

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blacklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Modifies service

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Exfiltration

      Impact

        Initial Access

          Lateral Movement

            Privilege Escalation