zloader | 440496a116ae475c19a8a00af2b51c05c6a62040c4ec556fc7e7788682962be6

General

Target

case (2553).xls
Size

153KB
Sample

210126-7d9znww1ts
MD5

cab7720d67d7700d40b24fee321734ce
SHA1

cb22de552873492e9925853b3cb7ad2ad5a00e8c
SHA256

440496a116ae475c19a8a00af2b51c05c6a62040c4ec556fc7e7788682962be6
SHA512

2e9a2d66ac702b37a2326782de191c83dc9dbee0f3507dfe003b5f75de68de4771be132cbfb1b00065ba322ce4515d1e292de83a5819726acfbe7c3325f4ac87

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://coopacaustro.com/kev/scfrd.dll

Extracted

Family

zloader

Botnet

kev

Campaign

26/01

C2

https://gadgetswolf.com/post.php

https://homesoapmolds.com/post.php

https://govemedico.tk/post.php

rc4.plain

rsa_pubkey.plain

Targets

- Target
  
  case (2553).xls
- Size
  
  153KB
- MD5
  
  cab7720d67d7700d40b24fee321734ce
- SHA1
  
  cb22de552873492e9925853b3cb7ad2ad5a00e8c
- SHA256
  
  440496a116ae475c19a8a00af2b51c05c6a62040c4ec556fc7e7788682962be6
- SHA512
  
  2e9a2d66ac702b37a2326782de191c83dc9dbee0f3507dfe003b5f75de68de4771be132cbfb1b00065ba322ce4515d1e292de83a5819726acfbe7c3325f4ac87
Score

10^/10

zloader kev 26/01 botnet ransomware trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Zloader, Terdot, DELoader, ZeusSphinx

Blocklisted process makes network request

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2