zloader | 5f287d8b207645d9cfb47ff2aacb7ed2a6769fa14b1fe78c45a73efc73f0a84c

General

Target

5f287d8b207645d9cfb47ff2aacb7ed2a6769fa14b1fe78c45a73efc73f0a84c
Size

282KB
Sample

220201-mbt3ascgbl
MD5

d4177e2e225f0ba2c3a4575db7ea1a13
SHA1

983b44349669b40d276a4647ff9d7c0338860985
SHA256

5f287d8b207645d9cfb47ff2aacb7ed2a6769fa14b1fe78c45a73efc73f0a84c
SHA512

7fcce384e32d12f75577af3044f430259b2e104e236d0306506f90b38544d39cbc980878e76f52984790db16b55ca3f3e9976f893e08831237010fd31df17e92

Score

10^/10

Malware Config

Extracted

Family

zloader

Botnet

banking

Campaign

banking

C2

https://iloveyoubaby1.pro/gate.php

https://idsakjfsanfaskj.com/gate.php

https://fslakdasjdnsasjsj.com/gate.php

https://dksadjsahnfaskmsa.com/gate.php

https://dskdsajdsahda.info/gate.php

https://dskdsajdsadasda.info/gate.php

https://dskjdsadhsahjsas.info/gate.php

https://dsjadjsadjsadjafsa.info/gate.php

https://fsakjdsafasifkajfaf.pro/gate.php

https://djsadhsadsadjashs.pro/gate.php

Attributes

build_id
6

rc4.plain

Targets

- Target
  
  5f287d8b207645d9cfb47ff2aacb7ed2a6769fa14b1fe78c45a73efc73f0a84c
- Size
  
  282KB
- MD5
  
  d4177e2e225f0ba2c3a4575db7ea1a13
- SHA1
  
  983b44349669b40d276a4647ff9d7c0338860985
- SHA256
  
  5f287d8b207645d9cfb47ff2aacb7ed2a6769fa14b1fe78c45a73efc73f0a84c
- SHA512
  
  7fcce384e32d12f75577af3044f430259b2e104e236d0306506f90b38544d39cbc980878e76f52984790db16b55ca3f3e9976f893e08831237010fd31df17e92
Score

10^/10

zloader banking banking botnet persistence suricata trojan
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
  suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
  suricata
- suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- Blocklisted process makes network request
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Zloader, Terdot, DELoader, ZeusSphinx

suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

Blocklisted process makes network request

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2