General

  • Target

    TeraBox_1.13.1.5 (1).exe

  • Size

    80.8MB

  • Sample

    230116-rdrr6scc2y

  • MD5

    403f3b034f8d216534f955688f468fab

  • SHA1

    f41b643a2744a933fb18130fb3dd3d2b0051518b

  • SHA256

    ded767690577af7c9513b14b6271c4d0f0309789b6dd2bcb2e47cb5aa017af53

  • SHA512

    7e30de1033f105905d30b36468d06ec38761620c63695e5aeb58d3763b6c613229913258c10a708604cfd502d362d14d8e16c76ce29c6a4124ec7b426860b780

  • SSDEEP

    1572864:WqUkKn6NpChkPSXgpUhBWXQi7/08StgJtctsuVSscPCrxn:hdFNAXXgqUF7jtXqv9F

Malware Config

Targets

    • Target

      TeraBox_1.13.1.5 (1).exe

    • Size

      80.8MB

    • MD5

      403f3b034f8d216534f955688f468fab

    • SHA1

      f41b643a2744a933fb18130fb3dd3d2b0051518b

    • SHA256

      ded767690577af7c9513b14b6271c4d0f0309789b6dd2bcb2e47cb5aa017af53

    • SHA512

      7e30de1033f105905d30b36468d06ec38761620c63695e5aeb58d3763b6c613229913258c10a708604cfd502d362d14d8e16c76ce29c6a4124ec7b426860b780

    • SSDEEP

      1572864:WqUkKn6NpChkPSXgpUhBWXQi7/08StgJtctsuVSscPCrxn:hdFNAXXgqUF7jtXqv9F

    • Modifies system executable filetype association

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Executes dropped EXE

    • Registers COM server for autorun

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks