Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543
Size

485KB
Sample

220520-3rmk6ahdd6
MD5

e4a088773d56d0f6e7d1582f100b5137
SHA1

5cf878a09b2de0b664467b928ad03453e5c1491e
SHA256

45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543
SHA512

eea5d926f100f5ae136e2ea5c71530ff087349ed89aa069b1cc4490ca8bb0432e1013e953de6c56befd660acd673d388aeef3e9db0ced7cbd4dd71ed432f0f6d

Score

10^/10

zloader r1 r1 botnet trojan

Malware Config

Extracted

Family	zloader
Botnet	r1
Campaign	r1
C2	http://bsraotpeiimmrnchcqvr.com/LKhwojehDgwegSDG/gateJKjdsh.php http://exqnbgauiphxqdeecitw.com/LKhwojehDgwegSDG/gateJKjdsh.php http://fpbkvirfkfvufpbkvgty.com/LKhwojehDgwegSDG/gateJKjdsh.php http://hikowojacckxccgglhvy.com/LKhwojehDgwegSDG/gateJKjdsh.php http://kdrowkrjhrdmbxkthljt.com/LKhwojehDgwegSDG/gateJKjdsh.php http://nvlmtlisfmcfgimicstx.com/LKhwojehDgwegSDG/gateJKjdsh.php http://syohvyctqfcgakxepsou.com/LKhwojehDgwegSDG/gateJKjdsh.php http://wdwrhikolxfwyyhwwfut.com/LKhwojehDgwegSDG/gateJKjdsh.php http://bsraotpeiimmrnchcqvr.com/LKhwojehDgwegSDG/gateJKjdsh.php http://exqnbgauiphxqdeecitw.com/LKhwojehDgwegSDG/gateJKjdsh.php http://fpbkvirfkfvufpbkvgty.com/LKhwojehDgwegSDG/gateJKjdsh.php http://hikowojacckxccgglhvy.com/LKhwojehDgwegSDG/gateJKjdsh.php http://kdrowkrjhrdmbxkthljt.com/LKhwojehDgwegSDG/gateJKjdsh.php http://nvlmtlisfmcfgimicstx.com/LKhwojehDgwegSDG/gateJKjdsh.php http://syohvyctqfcgakxepsou.com/LKhwojehDgwegSDG/gateJKjdsh.php http://wdwrhikolxfwyyhwwfut.com/LKhwojehDgwegSDG/gateJKjdsh.php
Attributes	build_id 17
rc4.plain
rsa_pubkey.plain

Targets

- Target
  
  45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543
- Size
  
  485KB
- MD5
  
  e4a088773d56d0f6e7d1582f100b5137
- SHA1
  
  5cf878a09b2de0b664467b928ad03453e5c1491e
- SHA256
  
  45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543
- SHA512
  
  eea5d926f100f5ae136e2ea5c71530ff087349ed89aa069b1cc4490ca8bb0432e1013e953de6c56befd660acd673d388aeef3e9db0ced7cbd4dd71ed432f0f6d
Score

10^/10

zloader r1 r1 botnet trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

zloaderr1r1botnettrojan

behavioral2

zloaderr1r1botnettrojan