Resubmissions

07-10-2021 08:07

211007-jz8ntacae4 10

08-09-2020 11:09

200908-l3refm7wkn 10

General

  • Target

    raqus.exe.bin

  • Size

    327KB

  • Sample

    211007-jz8ntacae4

  • MD5

    e0c83cdab8252cdf576d0c2e0f896c68

  • SHA1

    7c2866e7f78c2eee0fa7a2944e0ce69bd6e05287

  • SHA256

    66c5ef860657de1249cc39bb30d242ece8aba79ae37eb8cb1b908b3f61040524

  • SHA512

    375fae6ac5eee84c702fb0e19cb14606a0d8ca9824b1ac428f2a01bf145908fd661680ebc3517e9260a1921c81f656188f8cc37c785e5d1eb6d37940da8734e6

Malware Config

Extracted

Family

zloader

Botnet

SG

Campaign

SG

C2

http://rrleuleuetijabsnqsgn.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://tvlmfacgscbjlndewpxn.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://yvibvuyolrfeegaophef.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://lastcost2020.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://lastcost2020.in/LKhwojehDgwegSDG/gateJKjdsh.php

http://lastcost2020.info/LKhwojehDgwegSDG/gateJKjdsh.php

http://lastcost2020.net/LKhwojehDgwegSDG/gateJKjdsh.php

http://lastcost2020.org/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      raqus.exe.bin

    • Size

      327KB

    • MD5

      e0c83cdab8252cdf576d0c2e0f896c68

    • SHA1

      7c2866e7f78c2eee0fa7a2944e0ce69bd6e05287

    • SHA256

      66c5ef860657de1249cc39bb30d242ece8aba79ae37eb8cb1b908b3f61040524

    • SHA512

      375fae6ac5eee84c702fb0e19cb14606a0d8ca9824b1ac428f2a01bf145908fd661680ebc3517e9260a1921c81f656188f8cc37c785e5d1eb6d37940da8734e6

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks