Overview

overview

10

Static

static

ycof.exe.dll

windows10_x64

10

Resubmissions

10-08-2023 17:03

230810-vktf5ahb8w 8

10-08-2023 16:18

230810-tsd6qseh75 5

12-10-2021 18:50

211012-xg8gzschfq 10

12-10-2021 18:01

211012-wl6zaacffq 10

06-10-2021 20:46

211006-zkl49sbhbq 10

05-10-2021 18:43

211005-xde19sacb2 10

04-10-2021 21:53

211004-1rxd9ahae5 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ycof.exe

  • Size

    1.1MB

  • Sample

    211005-xde19sacb2

  • MD5

    54a3bcca6b1eb92adb299a46df941826

  • SHA1

    6988e010056d88985b8e8f8de06706327779d3ca

  • SHA256

    c4ab81d7b7d44dd6dfc4f2b69dbe3f22fbf23c1ae49ab8edac2d26f85ae4514d

  • SHA512

    4e4f10abf8a97f649060cb3eaa125a487141a42b87d2dc1449d87531d927031279bd7b48a3859ffa8f5d4400deea77022ecb00c61de8511756dc9c0d27e3f150

Score
10/10
zloader123123botnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

123

Campaign

123

C2

http://gipc.in/post.php

http://fbhindia.com/post.php

http://ecolenefiber.com/post.php

http://design.ecolenefiber.com/post.php

http://beta.marlics.ir/post.php

http://hari.pk/post.php

http://iaiskjmalang.ac.id/post.php

http://314xd.com/post.php

http://ejournal.iaiskjmalang.ac.id/post.php

http://duanvn.com/post.php
rc4.plain
rsa_pubkey.plain

Targets

    • Target

      ycof.exe

    • Size

      1.1MB

    • MD5

      54a3bcca6b1eb92adb299a46df941826

    • SHA1

      6988e010056d88985b8e8f8de06706327779d3ca

    • SHA256

      c4ab81d7b7d44dd6dfc4f2b69dbe3f22fbf23c1ae49ab8edac2d26f85ae4514d

    • SHA512

      4e4f10abf8a97f649060cb3eaa125a487141a42b87d2dc1449d87531d927031279bd7b48a3859ffa8f5d4400deea77022ecb00c61de8511756dc9c0d27e3f150

    Score
    10/10
    zloader123123botnetpersistencetrojan

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Blocklisted process makes network request

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks