zloader | fff929c4f44411e0f8da272f8d1db4593b23acd3c52cf8958792aef9548b4623

General

Target

6aee58b63843a0d73a98a2922092de8a_JaffaCakes118
Size

839KB
Sample

240730-a1g3tatcnb
MD5

6aee58b63843a0d73a98a2922092de8a
SHA1

abc6ac9a98360aa065f32e15d0a9293f8aa26e32
SHA256

fff929c4f44411e0f8da272f8d1db4593b23acd3c52cf8958792aef9548b4623
SHA512

ab93f97b94953edc7d051ffa48cf444d4f09af479746ad88b86907e50d8984919fa1fdef473b2cb73adcb23378c03a81a06eece1cf7b1d12a469c0eec943d20c
SSDEEP

6144:XkX7Ahus9knpaHe51x/ZD6KJ02lclcB6BQVnhLbm6BN6BILsWwrdsWhc:0Ehus+5rZDjJ025oQVhX3UjdrdsWy

Score

10^/10

Malware Config

Extracted

Family

zloader

Botnet

xls_spam_2809

Campaign

divader

C2

https://fqnesas.ru/gate.php

https://fqnvsdaas.su/gate.php

https://fqnvtmqass.ru/gate.php

https://fqnvtcpheas.su/gate.php

https://fqnvtmophfeas.ru/gate.php

https://fqnceas.su/gate.php

https://fqlocpeas.ru/gate.php

https://dksaiijn.ru/gate.php

https://dksafjasnf.su/gate.php

https://fjsafasfsa.ru/gate.php

Attributes

build_id
80

rc4.plain

1
03d5ae30a0bd934a23b6a7f0756aa504

rsa_pubkey.plain

1
-----BEGIN PUBLIC KEY-----
2
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgH8lq265O2JF4ppogKnQ5oPloJ9n
3
DIZIh5wXL6vve72p5RlYHq42Ui3GRSDMLEsoJRaak7WnNKp1AVop9Qj7f7DEvHZ+
4
jgjeT1axP2rt4FTF4wT4ZDPUDVdmGQhfozluc328jBVLX5HXaYLtEhlI7Hc1Syhk
5
+pXowBVJ8emFjkANAgMBAAE=
6
-----END PUBLIC KEY-----

Targets

- Target
  
  6aee58b63843a0d73a98a2922092de8a_JaffaCakes118
- Size
  
  839KB
- MD5
  
  6aee58b63843a0d73a98a2922092de8a
- SHA1
  
  abc6ac9a98360aa065f32e15d0a9293f8aa26e32
- SHA256
  
  fff929c4f44411e0f8da272f8d1db4593b23acd3c52cf8958792aef9548b4623
- SHA512
  
  ab93f97b94953edc7d051ffa48cf444d4f09af479746ad88b86907e50d8984919fa1fdef473b2cb73adcb23378c03a81a06eece1cf7b1d12a469c0eec943d20c
- SSDEEP
  
  6144:XkX7Ahus9knpaHe51x/ZD6KJ02lclcB6BQVnhLbm6BN6BILsWwrdsWhc:0Ehus+5rZDjJ025oQVhX3UjdrdsWy
Score

10^/10

zloader xls_spam_2809 divader botnet discovery persistence trojan
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2