General

  • Target

    1724328616838.html

  • Size

    6KB

  • Sample

    220929-q6bqzsbah2

  • MD5

    7cec8f7f684cb7a8dadecbfbd0e34177

  • SHA1

    d2e184572cb6504a2cd71a4c74a8063b45c56b77

  • SHA256

    5d554ed83ed475b1537cb7785a1c9139ad2e61ac2c6c8484472d01c2a039595d

  • SHA512

    1efd2c0cef5bce06f600d70e1068a274306e6b2af4dbc16ab791cff3ca9e7b4c2003e269487000b473efbb65a587a213cb7f80acbfa47efc7f73c20a72bb9729

  • SSDEEP

    96:LYyj2Ts4lnMO1KZgupQmjif+fA17UAVIH2tDrJzal4/vhLTdutp4iS56XNrx:Gs4BM/Bp6T1TVmerWiZT8ptSS

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://thevalueofamoment.com/wp-content/plugins/maintenance/images/

Targets

    • Target

      1724328616838.html

    • Size

      6KB

    • MD5

      7cec8f7f684cb7a8dadecbfbd0e34177

    • SHA1

      d2e184572cb6504a2cd71a4c74a8063b45c56b77

    • SHA256

      5d554ed83ed475b1537cb7785a1c9139ad2e61ac2c6c8484472d01c2a039595d

    • SHA512

      1efd2c0cef5bce06f600d70e1068a274306e6b2af4dbc16ab791cff3ca9e7b4c2003e269487000b473efbb65a587a213cb7f80acbfa47efc7f73c20a72bb9729

    • SSDEEP

      96:LYyj2Ts4lnMO1KZgupQmjif+fA17UAVIH2tDrJzal4/vhLTdutp4iS56XNrx:Gs4BM/Bp6T1TVmerWiZT8ptSS

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks