Malware sandboxing report by Hatching Triage

General

Target

0di3x.bin.zip
Size

78KB
Sample

201116-96rt48lgr2
MD5

10ad9e03b54e22c1da056d8fab1b289d
SHA1

98f3bd0b931de340ffdc52241a779f3cee9465de
SHA256

84e8caaf836da889b6f7c4d7e53c682274d23fdfa84011efe29c1894b7b16bd3
SHA512

c506f3a0612dfa40ca939f67131788c24e7d5b1e6b62558bc89247e1b435a21fb29dfdac88b9176dc46b84e38c2c618ad9fe4df03b280b887d676faccdb5b4d9

Score

10^/10

smokeloader zloader r1 r1 backdoor botnet trojan

Malware Config

Extracted

Family	smokeloader
Version	2020
C2	http://etasuklavish.today/ http://mragyzmachnobesdi.today/ http://kimchinikuzims.today/ http://slacvostinrius.today/ http://straponuliusyn.today/ http://grammmdinss.today/ http://viprasputinsd.chimkent.su/ http://lupadypa.dagestan.su/ http://stoknolimchin.exnet.su/ http://musaroprovadnikov.live/ http://teemforyourexprensiti.life/ http://stolkgolmishutich.termez.su/ http://roompampamgandish.wtf/ http://etasuklavish.today/ http://mragyzmachnobesdi.today/ http://kimchinikuzims.today/ http://slacvostinrius.today/ http://straponuliusyn.today/ http://grammmdinss.today/ http://viprasputinsd.chimkent.su/ http://lupadypa.dagestan.su/ http://stoknolimchin.exnet.su/ http://musaroprovadnikov.live/ http://teemforyourexprensiti.life/ http://stolkgolmishutich.termez.su/ http://roompampamgandish.wtf/
rc4.i32
rc4.i32

Extracted

Family	zloader
Botnet	r1
Campaign	r1
C2	https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php
rc4.plain
rsa_pubkey.plain

Targets

- Target
  
  0di3x.bin
- Size
  
  111KB
- MD5
  
  bd97f762750d0e38e38d5e8f7363f66a
- SHA1
  
  9ae3d7053246289ff908758f9d60d79586f7fc9f
- SHA256
  
  d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158
- SHA512
  
  d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39
Score

10^/10

smokeloader zloader r1 r1 backdoor botnet trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
behavioral1

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

Score

N/A

behavioral1

smokeloaderzloaderr1r1backdoorbotnettrojan

Score

10^/10

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

SmokeLoader

Zloader, Terdot, DELoader, ZeusSphinx

Executes dropped EXE

Deletes itself

Loads dropped DLL

MITRE ATT&CK Matrix

Tasks

static1

behavioral1