Overview

overview

10

Static

static

10

44ede6e1b9...0b.dll

windows7-x64

10

44ede6e1b9...0b.dll

windows10-1703-x64

10

44ede6e1b9...0b.dll

windows10-2004-x64

10

830700df4f...46.dll

windows7-x64

10

830700df4f...46.dll

windows10-1703-x64

10

830700df4f...46.dll

windows10-2004-x64

10

b89d80ca3f...79.dll

windows7-x64

10

b89d80ca3f...79.dll

windows10-1703-x64

10

b89d80ca3f...79.dll

windows10-2004-x64

10

cad0968f5a...b9.exe

windows7-x64

10

cad0968f5a...b9.exe

windows10-1703-x64

10

cad0968f5a...b9.exe

windows10-2004-x64

10

e3932ab83b...e8.dll

windows7-x64

10

e3932ab83b...e8.dll

windows10-1703-x64

10

e3932ab83b...e8.dll

windows10-2004-x64

10

Resubmissions

03-08-2023 07:52

230803-jqkwdsca99 10

27-07-2023 11:24

230727-nhyvhaec35 10

26-12-2022 13:39

221226-qx588sgb9y 10

26-12-2022 13:39

221226-qx1zhsgb9x 10

26-12-2022 13:38

221226-qxxbbsda57 10

26-12-2022 13:38

221226-qxjp8sda56 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zloader.zip

  • Size

    912KB

  • Sample

    221226-qx588sgb9y

  • MD5

    5b9c3ed3664f0df742d8755c961cd38b

  • SHA1

    644f0c7f36a70d126751ac048e77b0b90abf5643

  • SHA256

    76f4db4f373809a4dba455b3370a049295e711f635fa4c070790e1cb907e31a6

  • SHA512

    624ae16980a93a2c53725b639205212314596e0198b9957627b0d5e1fbc9dd7807bd55802f4493597da346b9bd181688fd9cd1ad76a738e5657486c9347258c7

  • SSDEEP

    24576:3S/33QEH0A1jWxdkNruOgo67hcQcron7Hbn3QPIo0EvwHM/Tih:kA9ejW9Og9VcO3cIov3Gh

Score
10/10
zloaderdivaderdllobnovanutvlenie10101716/0218/02obnova10xls_s_2010botnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

1017

C2

https://fdsjfjdsfjdsjfdjsfh.com/gate.php

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

https://dsdjfhdsufudhjas.info/gate.php

https://fdsjfjdsfjdsdsjajjs.info/gate.php

https://idisaudhasdhasdj.info/gate.php
Attributes
  • build_id

    28

rc4.plain

Extracted

Family

zloader

Botnet

divader

Campaign

xls_s_2010

C2

https://kochamkkkras.ru/gate.php

https://uookqihwdid.ru/gate.php

https://iqowijsdakm.ru/gate.php

https://wiewjdmkfjn.ru/gate.php

https://dksaoidiakjd.su/gate.php

https://iweuiqjdakjd.su/gate.php

https://yuidskadjna.su/gate.php

https://olksmadnbdj.su/gate.php

https://odsakmdfnbs.su/gate.php

https://odsakjmdnhsaj.su/gate.php
Attributes
  • build_id

    133

rc4.plain
rsa_pubkey.plain

Extracted

Family

zloader

Botnet

vlenie10

Campaign

obnova10

C2

https://kdsidsiadsakfsas.com/gate.php

https://jdafiasfjsafahhfs.com/gate.php

https://dasifosafjasfhasf.com/gate.php

https://kasfajfsafhasfhaf.com/gate.php

https://fdsjfjdsfjdsjfdjsfh.com/gate.php

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php
Attributes
  • build_id

    1869505135

rc4.plain

Extracted

Family

zloader

Botnet

nut

Campaign

18/02

C2

https://ramkanshop.ir/post.php

https://lph786.com/post.php

https://efaschoolfarooka.com/post.php

https://forexstick.com/post.php

https://firteccom.com/post.php

https://www.psychologynewmind.com/post.php

https://dirashightapbide.tk/post.php
Attributes
  • build_id

    358

rc4.plain
rsa_pubkey.plain

Extracted

Family

zloader

Botnet

nut

Campaign

16/02

C2

https://wewalk.cl/post.php

https://dpack-co.com/post.php

https://dr-mirahmadi.ir/post.php

https://indiaastrologyfoundation.in/post.php

https://metisacademy.ir/post.php

https://lan-samarinda.com/post.php

https://pyouleigorgawimbwans.tk/post.php
Attributes
  • build_id

    351

rc4.plain
rsa_pubkey.plain

Targets

    • Target

      44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b

    • Size

      570KB

    • MD5

      3f2036d6638df7dbeeaacd45d52c007b

    • SHA1

      fc747b3049c96afde43d91e6089da7d3865931b9

    • SHA256

      44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b

    • SHA512

      7c48919e37abc7fb927f93b159f1b262e4168785f5f12a3b64f8d09a0c912f0a9af534a3343b5fdcf5b40bc437aa9b7308703d37be6022450733b46f6ccbfc8e

    • SSDEEP

      6144:oUCE98sDXeHfijLo9qLV+yJqG3OOU0qs4wLjqonWpWjaBQY:LCS6HQSmlqGW0EwLtWwe7

    Score
    10/10
    zloaderdivaderxls_s_2010botnettrojan

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader
    behavioral1behavioral2behavioral3

    • Target

      830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46

    • Size

      493KB

    • MD5

      efddc2807ecbdffd694cd97936404053

    • SHA1

      c68b7b94e591fbc4cda9bdb8c2caaa33880464c7

    • SHA256

      830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46

    • SHA512

      e6b0fd0f52c5b7e82bb66d08c4a3f8a4bddf1ce75c140e73afb4c1f57131df81e5d39f7833de15b40e980f0605bfd1840f81b610134634db000f6e18388bf09a

    • SSDEEP

      12288:WsCr6MfAEtHaqxnXmtkl0CMh+1wY7JuegO4I9y:Wsi6MBtHBzlRMg1wY34I9y

    Score
    10/10
    zloadernut18/02botnettrojan

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral4behavioral5behavioral6

    • Target

      b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279

    • Size

      345KB

    • MD5

      adba2ac8f027946da258155b140c068a

    • SHA1

      91b1dceb17403910d7aa9bee1029f11153accff4

    • SHA256

      b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279

    • SHA512

      356865ecaf00b10af50ec1f7ffdcc89249e1eaf2a1648c970393d7c66359e578ce9d6987f66dc49cb769e36e8ea62c4ff17d6b173bc793b61fa81e11e619229f

    • SSDEEP

      6144:q9xZILKtmfbcPK2U6gRURSxE8efnQe+R+FNHmZ04aR31cdpN0V:q9xZIL1bcPRUrURAOn8gTGCPMwV

    Score
    10/10
    zloadernut16/02botnettrojan

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral7behavioral8behavioral9

    • Target

      cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9

    • Size

      139KB

    • MD5

      d91b498e5fc6c91e1e86b339407b58f7

    • SHA1

      369e3c4646a69b99a797e0e288fd3145e2a6f35a

    • SHA256

      cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9

    • SHA512

      b981f7c4857327708233bf7e44bfb485c1cc7148ca850a63b12f854215edb583f5a499109d67b94f213226d23d0f4e0e5d04b888193fa5e799e30f051e9c9dbd

    • SSDEEP

      3072:XBkH2At/3YyzX2OpphkGYI+C9AwcOZBJ7zk:n6/IAFkCDc+BJ7w

    Score
    10/10
    zloadervlenie10obnova10botnetpersistencetrojan

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10behavioral11behavioral12

    • Target

      e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8

    • Size

      111KB

    • MD5

      e3564138588cba04c873bd054458f8b9

    • SHA1

      157ec7421e1333b714d01a750b6d5d6517a92c45

    • SHA256

      e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8

    • SHA512

      2a2e8ce45a928bcffdb40ebf6559c1f071bb3feccfd9cfe355e593acb559ecf84858cf4474708d311317ab08b3f981eba7c8b80dceae973839a0eec9049665c8

    • SSDEEP

      1536:3ui/9Xb791Wff4K84oeRnobxxm2ShclQaLMin8F5vAC+WEQbAmTjTpeyv0+gPzff:H/J7jWHT/oegcaQF5XEgHbpeyvfgT

    Score
    10/10
    zloaderdllobnova1017botnetpersistencetrojan

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13behavioral14behavioral15

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

dllobnova1017zloader
Score
10/10

behavioral1

zloaderdivaderxls_s_2010botnettrojan
Score
10/10

behavioral2

zloaderdivaderxls_s_2010botnettrojan
Score
10/10

behavioral3

zloaderdivaderxls_s_2010botnettrojan
Score
10/10

behavioral4

zloadernut18/02botnettrojan
Score
10/10

behavioral5

zloadernut18/02botnettrojan
Score
10/10

behavioral6

zloadernut18/02botnettrojan
Score
10/10

behavioral7

zloadernut16/02botnettrojan
Score
10/10

behavioral8

zloadernut16/02botnettrojan
Score
10/10

behavioral9

zloadernut16/02botnettrojan
Score
10/10

behavioral10

zloadervlenie10obnova10botnetpersistencetrojan
Score
10/10

behavioral11

zloadervlenie10obnova10botnetpersistencetrojan
Score
10/10

behavioral12

zloadervlenie10obnova10botnetpersistencetrojan
Score
10/10

behavioral13

zloaderdllobnova1017botnetpersistencetrojan
Score
10/10

behavioral14

zloaderdllobnova1017botnetpersistencetrojan
Score
10/10

behavioral15

zloaderdllobnova1017botnetpersistencetrojan
Score
10/10