General
-
Target
bfcff5e7e6343d0d16a52eddf28d7e59
-
Size
83KB
-
Sample
210624-hbenn1z1mx
-
MD5
bfcff5e7e6343d0d16a52eddf28d7e59
-
SHA1
f8bdc43c739668087d3d754587c62e2498a45559
-
SHA256
83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf
-
SHA512
820d3150567d75556e80b847c0bcdb3f0859f61e781b92c6b908621c84b57ca62ee73347da4f6cf7ac212904b0649b36bef8fd8f06b70e56a6ff18bf521e30ec
Malware Config
Targets
-
-
Target
bfcff5e7e6343d0d16a52eddf28d7e59
-
Size
83KB
-
MD5
bfcff5e7e6343d0d16a52eddf28d7e59
-
SHA1
f8bdc43c739668087d3d754587c62e2498a45559
-
SHA256
83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf
-
SHA512
820d3150567d75556e80b847c0bcdb3f0859f61e781b92c6b908621c84b57ca62ee73347da4f6cf7ac212904b0649b36bef8fd8f06b70e56a6ff18bf521e30ec
Score10/10-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Sets DLL path for service in the registry
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops Chrome extension
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-