Resubmissions

31-10-2023 08:38

231031-kjprfabf94 10

03-05-2022 14:53

220503-r9rgaacbbl 10

General

  • Target

    15319e2289bb351467d4944bff9ae6c08a16d1e6f321b42311defe4b337fb6f0

  • Size

    186KB

  • Sample

    220503-r9rgaacbbl

  • MD5

    efe5547a2572257807e7ff798ddb8b13

  • SHA1

    0e5b0e9299a9078a9c6cab5abaccc0aee328b6d4

  • SHA256

    15319e2289bb351467d4944bff9ae6c08a16d1e6f321b42311defe4b337fb6f0

  • SHA512

    397db5a334a35569296cc72962482aff2749644ca0a54e4f356ee2768eaf97f3fe516bb11905c82ee36d64ea22443588a8697d3543422f25194b0a267dfad13c

Malware Config

Extracted

Family

zloader

Botnet

CanadaLoads

Campaign

Nerino

C2

https://makemoneywithforexxs.com/bFnF0y1r/7QKpXmV3Pz.php

https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php

https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php

https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php

https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php

https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php

https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php

https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php

Attributes
  • build_id

    73

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      15319e2289bb351467d4944bff9ae6c08a16d1e6f321b42311defe4b337fb6f0

    • Size

      186KB

    • MD5

      efe5547a2572257807e7ff798ddb8b13

    • SHA1

      0e5b0e9299a9078a9c6cab5abaccc0aee328b6d4

    • SHA256

      15319e2289bb351467d4944bff9ae6c08a16d1e6f321b42311defe4b337fb6f0

    • SHA512

      397db5a334a35569296cc72962482aff2749644ca0a54e4f356ee2768eaf97f3fe516bb11905c82ee36d64ea22443588a8697d3543422f25194b0a267dfad13c

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • suricata: ET MALWARE Zbot POST Request to C2

      suricata: ET MALWARE Zbot POST Request to C2

    • Blocklisted process makes network request

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks