zloader | a4a31d6d1af581f983398db33bbc0fdfe3b321ef45a9e7658306e0459c59d24d | Triage

Submit
Reports

Overview

overview

Static

static

1

OculusSetup.exe

windows11-21h2-x64

Sharing

General

Target

OculusSetup.exe
Size

4.5MB
Sample

240729-n9xfraxfpn
MD5

fdbcb6a25136c9cbc24d159e863bae13
SHA1

a8d379375ec516edc86951a20b89d82155b12713
SHA256

a4a31d6d1af581f983398db33bbc0fdfe3b321ef45a9e7658306e0459c59d24d
SHA512

adbab93d13d2b8d429229d6936225d80315c9885990ae1dc61ea1d2a141a4b4f45b3a21dd202be62125444be33bd3a5a91f1457f7c123560f106e95883724e3d
SSDEEP

49152:M9jTJekQozeXfM6CvifgaAwS0ct1CPwDv3uF/XjxBZdKdaRH7wW7FZ:88/ozevblfgaAQo1CPwDv3uF/XmgR5Z

Score

10^/10

zloader botnet discovery persistence privilege_escalation trojan

Static task

static1

Behavioral task

behavioral1

Sample

OculusSetup.exe

Resource

win11-20240709-en

zloader botnet discovery persistence privilege_escalation trojan

windows11-21h2-x64

30 signatures

300 seconds

Malware Config

Targets

- Target
  
  OculusSetup.exe
- Size
  
  4.5MB
- MD5
  
  fdbcb6a25136c9cbc24d159e863bae13
- SHA1
  
  a8d379375ec516edc86951a20b89d82155b12713
- SHA256
  
  a4a31d6d1af581f983398db33bbc0fdfe3b321ef45a9e7658306e0459c59d24d
- SHA512
  
  adbab93d13d2b8d429229d6936225d80315c9885990ae1dc61ea1d2a141a4b4f45b3a21dd202be62125444be33bd3a5a91f1457f7c123560f106e95883724e3d
- SSDEEP
  
  49152:M9jTJekQozeXfM6CvifgaAwS0ct1CPwDv3uF/XjxBZdKdaRH7wW7FZ:88/ozevblfgaAQo1CPwDv3uF/XmgR5Z
Score

10^/10

zloader botnet discovery persistence privilege_escalation trojan
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

zloaderbotnetdiscoverypersistenceprivilege_escalationtrojan

© 2018-2024

Terms | Privacy