Resubmissions

02-11-2020 07:00

201102-kdx16rhl5a 10

01-11-2020 18:45

201101-xwtjyyb6hn 1

General

  • Target

    bd91abd60357f47d4a163df3fc27b795.exe

  • Size

    291KB

  • Sample

    201102-kdx16rhl5a

  • MD5

    bd91abd60357f47d4a163df3fc27b795

  • SHA1

    7e572733b2ef7266dfdb237c32d73919df6ae298

  • SHA256

    a50844184119e66e5d3a663be6d2d57d72a6748b6ce2d11974c688c8bc40d710

  • SHA512

    4ad41d25cd85d16e5bc932ee68dcb79ed4845e679e7b14f23a32f7a57fc5aa783e0cd2eb7f5b58e7c8918e81f316bcffb7c658efc1d25223576b5383df39e604

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      bd91abd60357f47d4a163df3fc27b795.exe

    • Size

      291KB

    • MD5

      bd91abd60357f47d4a163df3fc27b795

    • SHA1

      7e572733b2ef7266dfdb237c32d73919df6ae298

    • SHA256

      a50844184119e66e5d3a663be6d2d57d72a6748b6ce2d11974c688c8bc40d710

    • SHA512

      4ad41d25cd85d16e5bc932ee68dcb79ed4845e679e7b14f23a32f7a57fc5aa783e0cd2eb7f5b58e7c8918e81f316bcffb7c658efc1d25223576b5383df39e604

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blacklisted process makes network request

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Tasks