General

  • Size

    447KB

  • Sample

    220418-l9vaaaedg3

  • MD5

    83059ecb2b70c5c283938fdb798de541

  • SHA1

    b8b151d34563d8510cbc4607b235edf57c36efaf

  • SHA256

    57dafb880df226e923da9f493c07980dc47b611f5bb6ebb337062de99b9e3a52

  • SHA512

    ed8024d89af1bd4d6da38af44d8466365c666cf1a5c0a5baa02db1c5493888e60618fe0bb3e72c0368b7272e97e1d7447c12aeb9e253437a50bc6977267a834b

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes
build_id
125
rc4.plain
rsa_pubkey.plain

Targets

    • Target

      57dafb880df226e923da9f493c07980dc47b611f5bb6ebb337062de99b9e3a52

    • Size

      447KB

    • MD5

      83059ecb2b70c5c283938fdb798de541

    • SHA1

      b8b151d34563d8510cbc4607b235edf57c36efaf

    • SHA256

      57dafb880df226e923da9f493c07980dc47b611f5bb6ebb337062de99b9e3a52

    • SHA512

      ed8024d89af1bd4d6da38af44d8466365c666cf1a5c0a5baa02db1c5493888e60618fe0bb3e72c0368b7272e97e1d7447c12aeb9e253437a50bc6977267a834b

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation