General

  • Target

    568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d

  • Size

    525KB

  • Sample

    220524-ryj8tseef7

  • MD5

    0c4e34983b797d71c1398962286a62d0

  • SHA1

    9314f44fc32b0afb38c466781727c8fca2b2f0a9

  • SHA256

    568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d

  • SHA512

    03144ce6410b416f961c7f6e5c9fa4112be54acfcd2ed554837c55aaa07227b09e88bcc09fce44a81f0f85cda06c8a0474ecfd08164c818e189aeb883a277d72

Malware Config

Extracted

Family

zloader

Botnet

goldhub

Campaign

27_mario

C2

https://209711.com/process.php

https://106311.com/out.php

https://124331.com/success.php

https://1646zz.com/api.php

Attributes
  • build_id

    75

rc4.plain

Targets

    • Target

      568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d

    • Size

      525KB

    • MD5

      0c4e34983b797d71c1398962286a62d0

    • SHA1

      9314f44fc32b0afb38c466781727c8fca2b2f0a9

    • SHA256

      568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d

    • SHA512

      03144ce6410b416f961c7f6e5c9fa4112be54acfcd2ed554837c55aaa07227b09e88bcc09fce44a81f0f85cda06c8a0474ecfd08164c818e189aeb883a277d72

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks