Overview

overview

10

Static

static

1

Screenshot...ok.jpg

windows7-x64

3

Screenshot...ok.jpg

windows10-2004-x64

10

Resubmissions

05-08-2024 07:11

240805-hz14aszbrl 10

05-08-2024 07:09

240805-hy7vfstdla 3

05-08-2024 07:05

240805-hwzfastcpg 6

05-08-2024 07:04

240805-hv7qaatcnf 3

05-08-2024 06:55

240805-hqavratbne 1

05-08-2024 06:55

240805-hp5nqszalm 1

05-08-2024 06:54

240805-hpqvkstbmd 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Screenshot_20240729_011531_TikTok.jpg

  • Size

    24KB

  • Sample

    240805-hz14aszbrl

  • MD5

    20bf28be2328c3fc71cc890f85c6c427

  • SHA1

    99338e93d92c6852cb5ca9ff5dd3ef74da4543ce

  • SHA256

    212c00916c1969a080b1475568d3acb77da5f471e449e1a3518ec0bef3e90736

  • SHA512

    d7d1a28417abceb7689f89adbde87cacaa1298669d9a32fcf22bc1c58f6ad08e5891205f1e2782885745c15fb3b3dc037b39246189fafe911845fdd4a215d944

  • SSDEEP

    768:sjbMqMTFiBTizxZv1gHnvwHTIjvQZ4Bs6GbPlWX2n3kh:pjTFiBTax1gHvwTI7wB6GboXe0h

Score
10/10
zloaderbotnetdiscoverypersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      Screenshot_20240729_011531_TikTok.jpg

    • Size

      24KB

    • MD5

      20bf28be2328c3fc71cc890f85c6c427

    • SHA1

      99338e93d92c6852cb5ca9ff5dd3ef74da4543ce

    • SHA256

      212c00916c1969a080b1475568d3acb77da5f471e449e1a3518ec0bef3e90736

    • SHA512

      d7d1a28417abceb7689f89adbde87cacaa1298669d9a32fcf22bc1c58f6ad08e5891205f1e2782885745c15fb3b3dc037b39246189fafe911845fdd4a215d944

    • SSDEEP

      768:sjbMqMTFiBTizxZv1gHnvwHTIjvQZ4Bs6GbPlWX2n3kh:pjTFiBTax1gHvwTI7wB6GboXe0h

    Score
    10/10
    zloaderbotnetdiscoverypersistenceprivilege_escalationtrojan

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks