zloader | 09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Sharing

Copy URL

Twitter E-mail

General

Target

TeraBox_sl_b_1.31.0.1.exe
Size

85.5MB
Sample

240710-zvbfhssclh
MD5

79060976af019f7fb4cefbc0a4fe8ec4
SHA1

907cf720fa0ddf346a44904b0b38654f3d562784
SHA256

09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85
SHA512

a5decc422ed87f09786d3d42b3a26358faed6ca339ab3c4331b6b40c34fff62c48822a915aec71fce575fa03ccb1278e3bedb37072119b21309fb4d33828942b
SSDEEP

1572864:D/Tbaxaxd3iMmFsW2sfWXx/Qux9f7yyZermJw0ZR09aoFXVqagAp0g9mTx:Tqaxi6x/hHf7yyZermJwSy9aoFwagA1y

Score

10^/10

Malware Config

Targets

- Target
  
  TeraBox_sl_b_1.31.0.1.exe
- Size
  
  85.5MB
- MD5
  
  79060976af019f7fb4cefbc0a4fe8ec4
- SHA1
  
  907cf720fa0ddf346a44904b0b38654f3d562784
- SHA256
  
  09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85
- SHA512
  
  a5decc422ed87f09786d3d42b3a26358faed6ca339ab3c4331b6b40c34fff62c48822a915aec71fce575fa03ccb1278e3bedb37072119b21309fb4d33828942b
- SSDEEP
  
  1572864:D/Tbaxaxd3iMmFsW2sfWXx/Qux9f7yyZermJw0ZR09aoFXVqagAp0g9mTx:Tqaxi6x/hHf7yyZermJwSy9aoFwagA1y
Score

10^/10

zloader botnet discovery persistence privilege_escalation trojan
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Adds Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/NsisInstallUI.dll
- Size
  
  1.8MB
- MD5
  
  075abe6be6b717434cea2879a54c4714
- SHA1
  
  dc02581f578d22db7460352a476727ac5b2fcbb9
- SHA256
  
  5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13
- SHA512
  
  90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63
- SSDEEP
  
  24576:THI9QRkU8s2UDY3r58zoPOfxLcbFTRsr5T:byQn8jUE7HmKbDiT
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  8cf2ac271d7679b1d68eefc1ae0c5618
- SHA1
  
  7cc1caaa747ee16dc894a600a4256f64fa65a9b8
- SHA256
  
  6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
- SHA512
  
  ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
- SSDEEP
  
  192:BenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XB9IwL:B8+Qlt70Fj/lQRY/9VjjlL
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/nsProcessW.dll
- Size
  
  4KB
- MD5
  
  f0438a894f3a7e01a4aae8d1b5dd0289
- SHA1
  
  b058e3fcfb7b550041da16bf10d8837024c38bf6
- SHA256
  
  30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
- SHA512
  
  f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
- SSDEEP
  
  48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj
Score

3^/10
behavioral7 behavioral8
- Target
  
  $TEMP/kernel.dll
- Size
  
  7.5MB
- MD5
  
  3addcb27ffbfeecf0cf1f4980e0b0baf
- SHA1
  
  dde794a1bb1fba39d30334b0abce6010092c5d27
- SHA256
  
  15c2a89dc69cc532d59c40946f4764aeff284fd01734c2f5783efd60ce14f40a
- SHA512
  
  3f2ed545f5f913f645506829192291098a7981afdc761f5cb996c299abe0cd5befc1585b0bafd189a5505b3543cadb340df50fbf9551de4c84b9d193628a082b
- SSDEEP
  
  196608:4uoz1uHMDYjG4mJmvoG7nAbyrxpetNvjr:4uozPoumvozbyOr
Score

1^/10
behavioral10 behavioral9
- Target
  
  AppUtil.dll
- Size
  
  1.5MB
- MD5
  
  7e489e7300d3177f64db31665a2079e0
- SHA1
  
  50b20f0b4e5bb5b35e68dd90a5c465dffd30260e
- SHA256
  
  7a426359908ae2b6ca1bc8a2773269a48126c2db23c171bc56a3456da4f0016c
- SHA512
  
  0b3b34c0e5e095dfd77d801cd7e85e0431da23bf1c943aacb855a40f5a0d9439d7667718abe654eac17ed474b3c9eb644b90cc8cc215c9adc99b12e29b7907d3
- SSDEEP
  
  24576:gbp2vEtmbb6kMjihOgysnGc7EiHhP2C1oPObTSFXhPq2QWv/Ec+M6em:gbpLtmbe7dSvAObTAXhPq2QW3Ec+M6em
Score

1^/10
behavioral11 behavioral12
- Target
  
  AutoUpdate/AutoUpdateUtil.dll
- Size
  
  198KB
- MD5
  
  1e751e9ac7a6905d2f1b2860cc7d37a7
- SHA1
  
  6e7171f68a1c432a512cae3901d35faad550ca0e
- SHA256
  
  9b95b90e36e4f7bf257e56fadf6f7630fa70696c072f7b8d6de05eab87e0674e
- SHA512
  
  f54af4149c1d24f05fdb3c1d8b48f31444763e7c4effdcd9013c8c90a8aa7fa4531b00d5ee1b3f08fcfbebcd06aaf8aa318c40943a59e611d5c24435a0562034
- SSDEEP
  
  3072:3Oq3B8kyfQQC2mC2gbvCsGowP96rH0Vu3b1vJ4gMdyJVj+G3O1fnAtZY:eq3BJ4vCCa9VgxR+GGvAK
Score

3^/10
behavioral13 behavioral14
- Target
  
  AutoUpdate/Autoupdate.exe
- Size
  
  2.8MB
- MD5
  
  94c5b0443f1c39b71b22931509bf1985
- SHA1
  
  35cb27275187b8c0da72d00b8551aaf2c1059794
- SHA256
  
  7260c2623c4277b045d97e87a677d41bbfd11647109a4d648c311310889cebfb
- SHA512
  
  a08a897095239f367c51b36724f54aa961420e07f76185075902efd7ee023eb8f0a6c8b49769158fbf9372377028182515995b0ac0b7277e12a2640a3e6a3721
- SSDEEP
  
  49152:57L6oPOReVwkTVcXj/SZTLvIkP4qgh7Xufw58hG7UB:57NQeZVcX7aIFqgtX8S
Score

1^/10
behavioral15 behavioral16
- Target
  
  BugReport.exe
- Size
  
  1.4MB
- MD5
  
  f49b3b781bfd317539557bef5097f296
- SHA1
  
  637af9717eb920cfe05f1308bad8633e16064903
- SHA256
  
  3275b623d4f9ed914fa5dbe5983e95fd63c2ba122ce69b773f70b148d84d188b
- SHA512
  
  93fd86df5f66e54ef2e79e4f141069ba2f0c96e203976b0ccb1b9ed5a78cd2212de0aaa05c63602bc8debe741940fbdb64d515e43d493b86fbbefa69f0405551
- SSDEEP
  
  24576:fvlG+2O6nLOdc1G0BNmo5Suno0i1eBU2Jqh5Xok4NJFXuFrAHPr8qFTtdkx5ApvD:fvlzEy0BNmoYuLqHMuFsHPr8qFTQMpvD
Score

5^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral17 behavioral18
- Target
  
  Bull140U.dll
- Size
  
  3.2MB
- MD5
  
  b5ac5913784d34c843677547edd5c578
- SHA1
  
  ed2a4e165ad8b65b1699aaf048654142a66943c6
- SHA256
  
  3267244255376bfaf68e75ad38468ba3ca0bbb49fe260f6e05611148d5cee3c9
- SHA512
  
  28a29ff02d7ce6d6a74b4938a1a1388c4ad6b36600bc9e7664edf14eb8a89aee49c107c46e13aee0194a38ec506cd86094952ce9327d724a98541871ff58d6db
- SSDEEP
  
  49152:YucCrMCcHiNTP0aVY+cTiPA+uo8TWp1gbuDIc7TYgZwnlmd2:neCtVYfbnoQbhPn
Score

1^/10
behavioral19 behavioral20
- Target
  
  ChromeNativeMessagingHost.exe
- Size
  
  126KB
- MD5
  
  cc7d7af64836078ce16a6919f753637c
- SHA1
  
  3046f9a67c40e5a21c8ed92a15af4f53e34395e0
- SHA256
  
  f9e1e7b4f81d3c08aa9b84701d6dac243541535fa3a39946bb517707e1af0d2b
- SHA512
  
  94fd2b097337d83a1635b922f14ffb368e1bbf3db8036d86dfffa7aad4ebfe5c19d96b8bfac99c3b4749acd5d47e7e517e88f9f1da553803e819272def7aad95
- SSDEEP
  
  1536:J3g0SyOZkuKe2nzGik0QkDYhH5RKA2CERlXR4L5O1L7nZcGZc9eiy:J3g0SywqqhH5RKA231R4tO1fnpn
Score

1^/10
behavioral21 behavioral22
- Target
  
  HelpUtility.exe
- Size
  
  148KB
- MD5
  
  c678f2c86400aa2c2e7c4782ad19c652
- SHA1
  
  f9d6d3ede05a597d7c362704dc03a3eb82a445d3
- SHA256
  
  37839cf5c7018440bab9b8d41436fabb69ab93a90e2e0eef01d565013e208ad8
- SHA512
  
  790d76f98543ca52f06dc4c80cb42ae954daba4eee89a06d8dad65fab7d807b92b6a7cefdef685f2ae161bcbc15ffb8b271408ee60cb2e61468b7f00a3e0a270
- SSDEEP
  
  3072:CSiN9E5e6zYYtEuk8Uu93C7aWoHWoFbW3JB0bO16O1fnzl:CSiGzV5LZLbGvz
Score

1^/10
behavioral23 behavioral24
- Target
  
  TeraBox.exe
- Size
  
  6.3MB
- MD5
  
  7ab6073a5c400a5071bfa4ef2d936425
- SHA1
  
  f794ea18eced4330979972da2a4bfa33c03afa2f
- SHA256
  
  7774449e13c24d2b0b69114d9ba044e80dc8378fa3dfb5d17a142d5cb4cde8af
- SHA512
  
  4371b6b49df43dab4abf90a71819276f30dca823c93335edd5513a67a646c97ef575b2ede650ceb2f0f168af13431254530e9bffc3db0f5b0eada1492c3cab73
- SSDEEP
  
  98304:52XswubXaFliXVEaqz56LtbSeK78yYkVvkg7m8Etg1C9Y41WCpq:8XswuuKE7E4IDkVvkgK9fVWCo
Score

5^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral25 behavioral26
- Target
  
  TeraBoxHost.exe
- Size
  
  378KB
- MD5
  
  76a9e3448bbd6d6862842504a9e3f5ac
- SHA1
  
  7225bae52bad533ba79c6e88c39835c8767b1b15
- SHA256
  
  02e63402fb3c4fe84f4671f475f8df7c8d91534dc6e579d41af723fd475b6b43
- SHA512
  
  bd983fcccda9be808d120c9a8ef2458d730a0ccb5cfad009253d575955a18973201805b25d14b5552b6cd7101d0a072ce405b43336adde5c71f7e5cb7fe0956c
- SSDEEP
  
  6144:6+nj7IXYnzhmoX5Rz0jdWNuyxmnbjxzDBRz9NPM+uv2DBQ:yLoX4XNPPM+i
Score

1^/10
behavioral27 behavioral28
- Target
  
  TeraBoxRender.exe
- Size
  
  737KB
- MD5
  
  e7e3b05028ee28e5e968f77c2931cd4d
- SHA1
  
  632e78cb1c9caa091d4d657e44d576f208f75f8c
- SHA256
  
  c30bbd342e068425c8433e17a4d8c0965e3f48a9b0e0fe983321e92b7a2df08c
- SHA512
  
  2bc2746b89972adc380048a84a514faaad5930d33eb42c2866e8b35dff84483bc704e06a3ae5584ad28a210df05b31bf348defadf40c90e4b636fff2ade114bc
- SSDEEP
  
  6144:EWF5wFO09j7KPQ7QK50g0umuUHlb5xVtq+2zi0Vv26S:EBFLj7x8dg0iUHlb5xV12G0
Score

1^/10
behavioral29 behavioral30
- Target
  
  TeraBoxWebService.exe
- Size
  
  1.1MB
- MD5
  
  aeff74ab7845f20f095466cc8e9c2e50
- SHA1
  
  990972a2f1ec7e90336b5690ef4f941efd12cbe9
- SHA256
  
  3a9a9852468082a13c0d483b35b3d16cabfa436774efdcfa363e6ae4c092097d
- SHA512
  
  ecd8f94e77d8b5f8164aba9ae484fd655939c976bcde9c07195a59f98d88ab0bc14ff041268f361b503a333827f28ce33d76c8add957297a2d056b04c32a04ca
- SSDEEP
  
  12288:WzfoNHJMAdkx/GzpOmeSKeYD6ebL5UHk8UZw3ulzQxIH9cAPxTmxECyXQz:WcNpMZx/SOeYD6KNF8UW3ul7HdPsEXQz
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Zloader, Terdot, DELoader, ZeusSphinx

Adds Run key to start application

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Checks computer location settings

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32