General

  • Target

    2c44e02c45efda7c498ef08219a5c5e917bd1b79e4bec7114a5ccb9b8ddfea52

  • Size

    861KB

  • Sample

    220201-mqkgeadafk

  • MD5

    05e87c6c9525fb866326a8c3115ac1e8

  • SHA1

    ba212c1819fef115142ba0ec545d376f8c998cea

  • SHA256

    2c44e02c45efda7c498ef08219a5c5e917bd1b79e4bec7114a5ccb9b8ddfea52

  • SHA512

    a97be4e794db32caa4898f018b51609d497a9aa0495f9d8c9b954b7637be1f4d0b6dc8bd8328889f3f200588c46505986eda06650eb3b4ef959e57bc7ca02fe2

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

2020-06-07

C2

https://matarlod.org/web/data

https://datearoc.org/web/data

https://rechnecy.org/web/data

https://ramissal.org/web/data

https://raidesci.org/web/data

https://glartrot.org/web/data

https://revenapo.org/web/data

https://brenonip.org/web/data

Attributes
  • build_id

    4

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      attachment-2

    • Size

      596B

    • MD5

      75afa754580eb8ff885b9d57c7e04fb6

    • SHA1

      2b3649f301c0b045fa289d90996ac061ecbfd5dd

    • SHA256

      4760aeaf2e330be98a7396c222bf5b8a5833b1227e0246f80015e1b865f515a1

    • SHA512

      2c8f0e26da5ca9806fb792ca032625484a9d2ca1a5206b06ba834aa0531e677cf0d8cf34eaab05c193bf7922bd51363b9801fc6426bc8c7a9c4a74d8f2a586eb

    Score
    8/10
    • Target

      nzcukv_04537951.vbs

    • Size

      1.6MB

    • MD5

      984dd8740ae65dcc429e50928d0eef54

    • SHA1

      06a0a1a8c514ec9788a23cf5cbab77feef7d9386

    • SHA256

      d9315d5ec377dd1302291eba02fb6e7c036631b5b408eb48a432a229c2dcfda9

    • SHA512

      81ad586312d3931a211131e1d6f473004e15bd047a14e1f8237a128f85d9509a2090258741936e6c59d55c667cad2f4b625a929d5e9abd18677cf2887d35c851

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Deletes itself

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Command and Control

Web Service

1
T1102

Tasks