Resubmissions

24-05-2023 17:16

230524-vs7cysea9x 10

09-11-2020 20:02

201109-kefnpvgfd6 10

General

  • Target

    readme.exe

  • Size

    348KB

  • Sample

    230524-vs7cysea9x

  • MD5

    8c6810ccbf8b94ad18edabe648ffd504

  • SHA1

    9f3770c114956fb31d04ec3020fe4da03a8ac2d4

  • SHA256

    b8f848f137a23fe046b4701a67d07c8e7e1a8fdb066f318424caede7a1e69530

  • SHA512

    7bf15296bbdce5aee540b9a6738c65a3f54b773f6aa50b27a98ad8c33544ff60625f650c8bb90fa17a0c60e8b799a88536f5609b41a94784fcb283b810f0b7b9

  • SSDEEP

    6144:UMLeUFXXI8t9K/uN6qmhCaHA5DZNyI187cMsU5wgsbZv+:JesY8t9KQ6q9WAZNVOAzzr+

Malware Config

Extracted

Family

zloader

Botnet

CanadaLoads

Campaign

Spam

C2

https://23d8s23hs89j239sj23.com/jbYm9bt/NlGkb4ivk.php

https://3reh8rd23js9.com/jbYm9bt/NlGkb4ivk.php

https://4f394j89d3j4d89j34d.com/jbYm9bt/NlGkb4ivk.php

https://d823hrd9239sdj2.com/jbYm9bt/NlGkb4ivk.php

https://js823hs23js.com/jbYm9bt/NlGkb4ivk.php

https://oidjweidj34rd3.com/jbYm9bt/NlGkb4ivk.php

https://qwd8s3j8s23h8s.com/jbYm9bt/NlGkb4ivk.php

https://s28hs823hs823js.com/jbYm9bt/NlGkb4ivk.php

https://wd23h8qsh8qhs823qs.com/jbYm9bt/NlGkb4ivk.php

Attributes
  • build_id

    34

rc4.plain

Targets

    • Target

      readme.exe

    • Size

      348KB

    • MD5

      8c6810ccbf8b94ad18edabe648ffd504

    • SHA1

      9f3770c114956fb31d04ec3020fe4da03a8ac2d4

    • SHA256

      b8f848f137a23fe046b4701a67d07c8e7e1a8fdb066f318424caede7a1e69530

    • SHA512

      7bf15296bbdce5aee540b9a6738c65a3f54b773f6aa50b27a98ad8c33544ff60625f650c8bb90fa17a0c60e8b799a88536f5609b41a94784fcb283b810f0b7b9

    • SSDEEP

      6144:UMLeUFXXI8t9K/uN6qmhCaHA5DZNyI187cMsU5wgsbZv+:JesY8t9KQ6q9WAZNVOAzzr+

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks