Resubmissions

08-02-2023 04:17

230208-ewg98shb88 1

08-02-2023 04:10

230208-ervprsge81 7

02-02-2023 17:55

230202-whhsaagf32 10

General

  • Target

    WinTroyBuilder.exe

  • Size

    2.8MB

  • Sample

    230202-whhsaagf32

  • MD5

    3d46955ab2275455a983c1c327835366

  • SHA1

    c18655daaaa564c2f4f2932f561f885cb1aff36b

  • SHA256

    9bf03a8f81f0c51e9f1a9cd6016ecccf7443c1559e4e4b44547b8a13521b152a

  • SHA512

    8d28dbc134d78b3ae21bf125a1eab81e6c9ab7d57c5148b3e0ac10dd40b76fe24b6846131f0224fb13d84cb0fe16f8d88cc5c97c5bbea5ec9e00960205c04332

  • SSDEEP

    49152:fOPSa4ZImzdAxZmKLEb+T+VY07d7AidLAbbtwSjugkKNJxeWsoDjLX:fraitzdAfBEa0AiLAbbO0ugk8V

Malware Config

Targets

    • Target

      WinTroyBuilder.exe

    • Size

      2.8MB

    • MD5

      3d46955ab2275455a983c1c327835366

    • SHA1

      c18655daaaa564c2f4f2932f561f885cb1aff36b

    • SHA256

      9bf03a8f81f0c51e9f1a9cd6016ecccf7443c1559e4e4b44547b8a13521b152a

    • SHA512

      8d28dbc134d78b3ae21bf125a1eab81e6c9ab7d57c5148b3e0ac10dd40b76fe24b6846131f0224fb13d84cb0fe16f8d88cc5c97c5bbea5ec9e00960205c04332

    • SSDEEP

      49152:fOPSa4ZImzdAxZmKLEb+T+VY07d7AidLAbbtwSjugkKNJxeWsoDjLX:fraitzdAfBEa0AiLAbbO0ugk8V

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Command and Control

Web Service

1
T1102

Tasks