Overview

overview

10

Static

static

test

windows7_x64

10

Resubmissions

05-11-2020 15:14

201105-5ddpd3tj7s 10

05-11-2020 14:58

201105-pp77evg3sa 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2d742c7cfeab4431589c2516392b52a02a1b7b9816d399b62824accf4bcd59e1.dll

  • Size

    278KB

  • Sample

    201105-5ddpd3tj7s

  • MD5

    b169aa7731c4afba6e9126da8d34417c

  • SHA1

    60acfbd81d9012e1279a44c1ca8c81aaee36c086

  • SHA256

    2d742c7cfeab4431589c2516392b52a02a1b7b9816d399b62824accf4bcd59e1

  • SHA512

    4aca3e1f14ab63e1de9e986b87d860608db18b5bacc6980a6a65e11d59eaf6811227f3187b4d4985afacbe813765b0447ef56be5067cd9258d4ee1c727ae3a1b

Score
10/10
zloaderusaoct29usabotnetpersistencespywaretrojan

Malware Config

Extracted

Family

zloader

Botnet

usa

Campaign

oct29USA

C2

http://wingtonwelbemdon.com/web/post.php

http://donburitimesofindia.com/web/post.php

http://celtictimesofkarishan.com/web/post.php

http://welcometothehotelsoflifes.com/web/post.php

http://wheredidtheelllcctoncsgo.com/web/post.php

http://myworld2002020999.com/web/post.php
rc4.plain
rsa_pubkey.plain

Targets

    • Target

      2d742c7cfeab4431589c2516392b52a02a1b7b9816d399b62824accf4bcd59e1.dll

    • Size

      278KB

    • MD5

      b169aa7731c4afba6e9126da8d34417c

    • SHA1

      60acfbd81d9012e1279a44c1ca8c81aaee36c086

    • SHA256

      2d742c7cfeab4431589c2516392b52a02a1b7b9816d399b62824accf4bcd59e1

    • SHA512

      4aca3e1f14ab63e1de9e986b87d860608db18b5bacc6980a6a65e11d59eaf6811227f3187b4d4985afacbe813765b0447ef56be5067cd9258d4ee1c727ae3a1b

    Score
    10/10
    zloaderusaoct29usabotnetpersistencespywaretrojan

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks