General

  • Target

    temp.dll

  • Size

    475KB

  • Sample

    210107-f6we4dkpgx

  • MD5

    8f1c25c81a61dc6d7e0ed8066436add5

  • SHA1

    8010bf81c3acb3d45f2f51dd153aad16fd5f2e34

  • SHA256

    9b281a8220a6098fefe1abd6de4fc126fddfa4f08ed1b90d15c9e0514d77e166

  • SHA512

    8b983cd1661ce6701ef9ac015d7d34d7011b87b01227ba0e763fdc00879a30edffe98fa7937831baacabfd5c1ec534a4556151bb13a2f0cacba3426754bd9449

Malware Config

Extracted

Family

zloader

Botnet

Jho

Campaign

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Targets

    • Target

      temp.dll

    • Size

      475KB

    • MD5

      8f1c25c81a61dc6d7e0ed8066436add5

    • SHA1

      8010bf81c3acb3d45f2f51dd153aad16fd5f2e34

    • SHA256

      9b281a8220a6098fefe1abd6de4fc126fddfa4f08ed1b90d15c9e0514d77e166

    • SHA512

      8b983cd1661ce6701ef9ac015d7d34d7011b87b01227ba0e763fdc00879a30edffe98fa7937831baacabfd5c1ec534a4556151bb13a2f0cacba3426754bd9449

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks