General

  • Size

    291KB

  • Sample

    201103-q48kzh68as

  • MD5

    6d2343d950d09893a1dafda2a7b6bac7

  • SHA1

    b134043d846cb168949efba262897f0db4d67b03

  • SHA256

    4af92f08a32990d91c2628e7a196b98c8361a591ead8785a9bd9985020d9f580

  • SHA512

    48bfb460d340570965967e1b897923da81c16460ca3764bb88aac9a97faa90bce6e8a914af233f6cb417ae50f44d9ebeadb255756b7f51328480463143ad41ce

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      wasm_003892.exe

    • Size

      291KB

    • MD5

      6d2343d950d09893a1dafda2a7b6bac7

    • SHA1

      b134043d846cb168949efba262897f0db4d67b03

    • SHA256

      4af92f08a32990d91c2628e7a196b98c8361a591ead8785a9bd9985020d9f580

    • SHA512

      48bfb460d340570965967e1b897923da81c16460ca3764bb88aac9a97faa90bce6e8a914af233f6cb417ae50f44d9ebeadb255756b7f51328480463143ad41ce

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blacklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Modifies service

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Exfiltration

      Impact

        Initial Access

          Lateral Movement

            Privilege Escalation