zloader | a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc | Triage

Resubmissions

29/10/2020, 16:21

201029-sfamlcy2aj 10

29/10/2020, 16:15

201029-jk9vy2x46s 10

29/10/2020, 15:23

201029-3eee5a1gls 1

Sharing

General

Target

ebook_29.10.20.exe
Size

310KB
Sample

201029-sfamlcy2aj
MD5

cd1f5e41d727816c6ca5e6c073130df4
SHA1

5d9a72b2b721aa7834d3f3bb07225ce48d4bc3fb
SHA256

a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc
SHA512

4f88ce58d61fa0eb4fc8ad2ce068a3044bcc7f205819cab5c39a998147f034869994c849ee022b487d3708d62167cc766d406e4310d301be1e51b1b1a7f3c588

Score

10^/10

zloader r1 r1 botnet persistence spyware trojan

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain

rsa_pubkey.plain

Targets

- Target
  
  ebook_29.10.20.exe
- Size
  
  310KB
- MD5
  
  cd1f5e41d727816c6ca5e6c073130df4
- SHA1
  
  5d9a72b2b721aa7834d3f3bb07225ce48d4bc3fb
- SHA256
  
  a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc
- SHA512
  
  4f88ce58d61fa0eb4fc8ad2ce068a3044bcc7f205819cab5c39a998147f034869994c849ee022b487d3708d62167cc766d406e4310d301be1e51b1b1a7f3c588
Score

10^/10

zloader r1 r1 botnet persistence spyware trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Blacklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

zloaderr1r1botnetpersistencespywaretrojan