Overview

overview

10

Static

static

galadriel

windows7_x64

10

Resubmissions

03-11-2020 12:42

201103-q48kzh68as 10

03-11-2020 10:49

201103-dkgw764v12 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wasm_003892.exe

  • Size

    291KB

  • Sample

    201103-q48kzh68as

  • MD5

    6d2343d950d09893a1dafda2a7b6bac7

  • SHA1

    b134043d846cb168949efba262897f0db4d67b03

  • SHA256

    4af92f08a32990d91c2628e7a196b98c8361a591ead8785a9bd9985020d9f580

  • SHA512

    48bfb460d340570965967e1b897923da81c16460ca3764bb88aac9a97faa90bce6e8a914af233f6cb417ae50f44d9ebeadb255756b7f51328480463143ad41ce

Score
10/10
zloaderr1r1botnetpersistencespywaretrojan

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      wasm_003892.exe

    • Size

      291KB

    • MD5

      6d2343d950d09893a1dafda2a7b6bac7

    • SHA1

      b134043d846cb168949efba262897f0db4d67b03

    • SHA256

      4af92f08a32990d91c2628e7a196b98c8361a591ead8785a9bd9985020d9f580

    • SHA512

      48bfb460d340570965967e1b897923da81c16460ca3764bb88aac9a97faa90bce6e8a914af233f6cb417ae50f44d9ebeadb255756b7f51328480463143ad41ce

    Score
    10/10
    zloaderr1r1botnetpersistencespywaretrojan

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Blacklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix

Collection

Command and Control

    Credential Access

    Defense Evasion

    Discovery

    Execution

    Exfiltration

      Impact

        Initial Access

          Lateral Movement

            Persistence

            Privilege Escalation

              Tasks