zloader | bd5bee906d87632d7f2ee9417e295e27b8a188d8c709d9eeeccca57c906c6cc9

General

Target

bd5bee906d87632d7f2ee9417e295e27b8a188d8c709d9eeeccca57c906c6cc9
Size

255KB
Sample

220512-ntz7psdah3
MD5

d131c83e02079eb401b06efa61f24f64
SHA1

c287863877b16a7fc3298dedb45f2cb0b0e206b7
SHA256

bd5bee906d87632d7f2ee9417e295e27b8a188d8c709d9eeeccca57c906c6cc9
SHA512

50846a00c57d7c162c6c1ec989f556b20562318556af7d29cdb57064be2a084a0350de06c041749be734d077b956c94ae1ccffa084d5f32279f6575102fcbca6

Score

10^/10

Malware Config

Extracted

Family

zloader

Botnet

CanadaLoads

Campaign

Nerino

C2

https://rrspmlsd1.com/bFnF0y1r/7QKpXmV3Pz.php

https://reservationsffrec.com/bFnF0y1r/7QKpXmV3Pz.php

https://tempmailsin112.com/bFnF0y1r/7QKpXmV3Pz.php

https://roadonroadonroad.com/bFnF0y1r/7QKpXmV3Pz.php

https://roadtocaliss.com/bFnF0y1r/7QKpXmV3Pz.php

https://referrer222.com/bFnF0y1r/7QKpXmV3Pz.php

https://makeitrainfordee.com/bFnF0y1r/7QKpXmV3Pz.php

https://makeitrainforffeer.com/bFnF0y1r/7QKpXmV3Pz.php

Attributes

build_id
66

rc4.plain

rsa_pubkey.plain

Targets

- Target
  
  bd5bee906d87632d7f2ee9417e295e27b8a188d8c709d9eeeccca57c906c6cc9
- Size
  
  255KB
- MD5
  
  d131c83e02079eb401b06efa61f24f64
- SHA1
  
  c287863877b16a7fc3298dedb45f2cb0b0e206b7
- SHA256
  
  bd5bee906d87632d7f2ee9417e295e27b8a188d8c709d9eeeccca57c906c6cc9
- SHA512
  
  50846a00c57d7c162c6c1ec989f556b20562318556af7d29cdb57064be2a084a0350de06c041749be734d077b956c94ae1ccffa084d5f32279f6575102fcbca6
Score

10^/10

zloader canadaloads nerino botnet persistence trojan suricata
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- suricata: ET MALWARE Zbot POST Request to C2
  suricata: ET MALWARE Zbot POST Request to C2
  suricata
- Blocklisted process makes network request
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Zloader, Terdot, DELoader, ZeusSphinx

suricata: ET MALWARE Zbot POST Request to C2

Blocklisted process makes network request

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2