Overview

overview

10

Static

static

a770fcb179...02.dll

windows7_x64

10

a770fcb179...02.dll

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a770fcb1791d4a1c1037921403f936fb699b4e86df500abc41cb7fa1d762e302

  • Size

    263KB

  • Sample

    220201-ljfzzacbhl

  • MD5

    a09afd2dd6a1c87b901903621200cbd1

  • SHA1

    81622fcfe94fb96acaa1898ca3230536d1e79f63

  • SHA256

    a770fcb1791d4a1c1037921403f936fb699b4e86df500abc41cb7fa1d762e302

  • SHA512

    ca657b4a3ec7e4ba17341a09cd31e63cdac28e7c9dc1dc71e422d98a54fc88dd876b214f63aafccfdef09cfea3047bb2715022b80b4a2be4be18be95662c1d4c

Score
10/10
zloaderdllobnovanewupdate326botnetpersistencesuricatatrojan

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

newupdate326

C2

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

https://dsdjfhdsufudhjas.info/gate.php

https://fdsjfjdsfjdsdsjajjs.info/gate.php

https://idisaudhasdhasdj.info/gate.php

https://dsdjfhdsufudhjas.pro/gate.php

https://dsdjfhd9ddksaas.pro/gate.php
Attributes
  • build_id

    5

rc4.plain

Targets

    • Target

      a770fcb1791d4a1c1037921403f936fb699b4e86df500abc41cb7fa1d762e302

    • Size

      263KB

    • MD5

      a09afd2dd6a1c87b901903621200cbd1

    • SHA1

      81622fcfe94fb96acaa1898ca3230536d1e79f63

    • SHA256

      a770fcb1791d4a1c1037921403f936fb699b4e86df500abc41cb7fa1d762e302

    • SHA512

      ca657b4a3ec7e4ba17341a09cd31e63cdac28e7c9dc1dc71e422d98a54fc88dd876b214f63aafccfdef09cfea3047bb2715022b80b4a2be4be18be95662c1d4c

    Score
    10/10
    zloaderdllobnovanewupdate326botnetpersistencesuricatatrojan

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)

      suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)

      suricata

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • Blocklisted process makes network request

    • Sets service image path in registry

      persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks