Overview

overview

10

Static

static

15319e2289...f0.exe

windows7_x64

10

15319e2289...f0.exe

windows10-2004_x64

10

Resubmissions

31-10-2023 08:38

231031-kjprfabf94 10

03-05-2022 14:53

220503-r9rgaacbbl 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    15319e2289bb351467d4944bff9ae6c08a16d1e6f321b42311defe4b337fb6f0

  • Size

    186KB

  • Sample

    220503-r9rgaacbbl

  • MD5

    efe5547a2572257807e7ff798ddb8b13

  • SHA1

    0e5b0e9299a9078a9c6cab5abaccc0aee328b6d4

  • SHA256

    15319e2289bb351467d4944bff9ae6c08a16d1e6f321b42311defe4b337fb6f0

  • SHA512

    397db5a334a35569296cc72962482aff2749644ca0a54e4f356ee2768eaf97f3fe516bb11905c82ee36d64ea22443588a8697d3543422f25194b0a267dfad13c

Score
10/10
zloadercanadaloadsnerinobotnetpersistencesuricatatrojan

Malware Config

Extracted

Family

zloader

Botnet

CanadaLoads

Campaign

Nerino

C2

https://makemoneywithforexxs.com/bFnF0y1r/7QKpXmV3Pz.php

https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php

https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php

https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php

https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php

https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php

https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php

https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php
Attributes
  • build_id

    73

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      15319e2289bb351467d4944bff9ae6c08a16d1e6f321b42311defe4b337fb6f0

    • Size

      186KB

    • MD5

      efe5547a2572257807e7ff798ddb8b13

    • SHA1

      0e5b0e9299a9078a9c6cab5abaccc0aee328b6d4

    • SHA256

      15319e2289bb351467d4944bff9ae6c08a16d1e6f321b42311defe4b337fb6f0

    • SHA512

      397db5a334a35569296cc72962482aff2749644ca0a54e4f356ee2768eaf97f3fe516bb11905c82ee36d64ea22443588a8697d3543422f25194b0a267dfad13c

    Score
    10/10
    zloadercanadaloadsnerinobotnetpersistencetrojansuricata

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • suricata: ET MALWARE Zbot POST Request to C2

      suricata: ET MALWARE Zbot POST Request to C2

      suricata

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks