zloader | 2c44e02c45efda7c498ef08219a5c5e917bd1b79e4bec7114a5ccb9b8ddfea52 | Triage

Sharing

General

Target

2c44e02c45efda7c498ef08219a5c5e917bd1b79e4bec7114a5ccb9b8ddfea52
Size

861KB
Sample

220201-mqkgeadafk
MD5

05e87c6c9525fb866326a8c3115ac1e8
SHA1

ba212c1819fef115142ba0ec545d376f8c998cea
SHA256

2c44e02c45efda7c498ef08219a5c5e917bd1b79e4bec7114a5ccb9b8ddfea52
SHA512

a97be4e794db32caa4898f018b51609d497a9aa0495f9d8c9b954b7637be1f4d0b6dc8bd8328889f3f200588c46505986eda06650eb3b4ef959e57bc7ca02fe2

Score

10^/10

zloader main 2020-06-07 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

2020-06-07

C2

https://matarlod.org/web/data

https://datearoc.org/web/data

https://rechnecy.org/web/data

https://ramissal.org/web/data

https://raidesci.org/web/data

https://glartrot.org/web/data

https://revenapo.org/web/data

https://brenonip.org/web/data

Attributes

build_id
4

rc4.plain

rsa_pubkey.plain

Targets

- Target
  
  attachment-2
- Size
  
  596B
- MD5
  
  75afa754580eb8ff885b9d57c7e04fb6
- SHA1
  
  2b3649f301c0b045fa289d90996ac061ecbfd5dd
- SHA256
  
  4760aeaf2e330be98a7396c222bf5b8a5833b1227e0246f80015e1b865f515a1
- SHA512
  
  2c8f0e26da5ca9806fb792ca032625484a9d2ca1a5206b06ba834aa0531e677cf0d8cf34eaab05c193bf7922bd51363b9801fc6426bc8c7a9c4a74d8f2a586eb
Score

8^/10

persistence
- Sets service image path in registry
  persistence
behavioral1 behavioral2
- Target
  
  nzcukv_04537951.vbs
- Size
  
  1.6MB
- MD5
  
  984dd8740ae65dcc429e50928d0eef54
- SHA1
  
  06a0a1a8c514ec9788a23cf5cbab77feef7d9386
- SHA256
  
  d9315d5ec377dd1302291eba02fb6e7c036631b5b408eb48a432a229c2dcfda9
- SHA512
  
  81ad586312d3931a211131e1d6f473004e15bd047a14e1f8237a128f85d9509a2090258741936e6c59d55c667cad2f4b625a929d5e9abd18677cf2887d35c851
Score

10^/10

zloader main 2020-06-07 botnet trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Blocklisted process makes network request
- Deletes itself
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

zloadermain2020-06-07botnettrojan

behavioral4