General

  • Target

    397eb08dc1794600fdd0c4744c2aeb12.exe

  • Size

    165KB

  • Sample

    210815-3fbz6e3pzj

  • MD5

    397eb08dc1794600fdd0c4744c2aeb12

  • SHA1

    5e7b7419c58ed1322917144efaa1b6ba87086b67

  • SHA256

    197473ef9099e43c74fc5dd19776cb4e001ccd39102c38c3bfa3f81db9fd92bb

  • SHA512

    669b705f38b7614e14957368048c590a82673c52c8281d3bd0c3d4d77f398d4f65fbbccc3a1e284579149432e26942e3b52df8876d83267f0ac4fc8974b94e69

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      397eb08dc1794600fdd0c4744c2aeb12.exe

    • Size

      165KB

    • MD5

      397eb08dc1794600fdd0c4744c2aeb12

    • SHA1

      5e7b7419c58ed1322917144efaa1b6ba87086b67

    • SHA256

      197473ef9099e43c74fc5dd19776cb4e001ccd39102c38c3bfa3f81db9fd92bb

    • SHA512

      669b705f38b7614e14957368048c590a82673c52c8281d3bd0c3d4d77f398d4f65fbbccc3a1e284579149432e26942e3b52df8876d83267f0ac4fc8974b94e69

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks