Overview

overview

10

Static

static

be73a8b054...fb.vbs

windows7_x64

10

be73a8b054...fb.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb

  • Size

    1.0MB

  • Sample

    220201-erbxnahae5

  • MD5

    7e8c741445cde9246b96c96a9cb89cd1

  • SHA1

    93409daece5165c0916e4e45d4c62292f57b34db

  • SHA256

    be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb

  • SHA512

    6d27fefa6c01fc07cd5d7ea2d69f9a061ac6438327dec2b1474316c0601ed3f7baeeb37b1fcfac0128274bec9d50f27e5006364006f419927de499cd159a411a

Score
10/10
zloadermain29.03.2020botnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

29.03.2020

C2

https://postgringos.com/sound.php

https://tetraslims.com/sound.php

https://greenrumba.com/sound.php

https://starterdatas.com/sound.php

https://nexycombats.com/sound.php

https://peermems.com/sound.php

https://fotonums.com/sound.php

https://hibsurf.com/sound.php

https://buhismus.com/sound.php

https://spensores.com/sound.php
Attributes
  • build_id

    30

rc4.plain

Targets

    • Target

      be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb

    • Size

      1.0MB

    • MD5

      7e8c741445cde9246b96c96a9cb89cd1

    • SHA1

      93409daece5165c0916e4e45d4c62292f57b34db

    • SHA256

      be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb

    • SHA512

      6d27fefa6c01fc07cd5d7ea2d69f9a061ac6438327dec2b1474316c0601ed3f7baeeb37b1fcfac0128274bec9d50f27e5006364006f419927de499cd159a411a

    Score
    10/10
    zloadermain29.03.2020botnetpersistencetrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks