zloader | 9ecd96e90def2fa42b060d64290129903115d7410b2c2008e8d4b928c4b5846a | Triage

Sharing

General

Target

beaker-browser-setup-0.8.2.exe
Size

70.4MB
Sample

240907-vsrbqsvdqm
MD5

c603abdef890ec42355b158561aa3381
SHA1

ae0aaa9c8c8665aab09a088ca5cbe42e148ef358
SHA256

9ecd96e90def2fa42b060d64290129903115d7410b2c2008e8d4b928c4b5846a
SHA512

40bde2aa5276e00de312d932698cb11ca6604f4d972bca0c653cce67dcc45ba32b4900a1d88bfdba49125ad43c49f7c46cc572370d727993afd810e92c4b0edd
SSDEEP

1572864:+uOdWa6wr7n17jdvIgVWL8ro+f3WUD+y1CxvmkOHFbPwk0iNFByzAK:x+WaPrrvwL95I+wCx0l4k8

Score

10^/10

zloader botnet discovery execution trojan

Malware Config

Targets

- Target
  
  beaker-browser-setup-0.8.2.exe
- Size
  
  70.4MB
- MD5
  
  c603abdef890ec42355b158561aa3381
- SHA1
  
  ae0aaa9c8c8665aab09a088ca5cbe42e148ef358
- SHA256
  
  9ecd96e90def2fa42b060d64290129903115d7410b2c2008e8d4b928c4b5846a
- SHA512
  
  40bde2aa5276e00de312d932698cb11ca6604f4d972bca0c653cce67dcc45ba32b4900a1d88bfdba49125ad43c49f7c46cc572370d727993afd810e92c4b0edd
- SSDEEP
  
  1572864:+uOdWa6wr7n17jdvIgVWL8ro+f3WUD+y1CxvmkOHFbPwk0iNFByzAK:x+WaPrrvwL95I+wCx0l4k8
Score

10^/10

zloader botnet discovery trojan
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/SpiderBanner.dll
- Size
  
  9KB
- MD5
  
  17309e33b596ba3a5693b4d3e85cf8d7
- SHA1
  
  7d361836cf53df42021c7f2b148aec9458818c01
- SHA256
  
  996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
- SHA512
  
  1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298
- SSDEEP
  
  192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/StdUtils.dll
- Size
  
  101KB
- MD5
  
  33b4e69e7835e18b9437623367dd1787
- SHA1
  
  53afa03edaf931abdc2d828e5a2c89ad573d926c
- SHA256
  
  72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae
- SHA512
  
  ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77
- SSDEEP
  
  1536:Ayy+wx2YAlWrU5OX9crt5c4DBqiC7hk333kbQk:ry+wojIwgNcr1a7WH0b
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  75ed96254fbf894e42058062b4b4f0d1
- SHA1
  
  996503f1383b49021eb3427bc28d13b5bbd11977
- SHA256
  
  a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
- SHA512
  
  58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
- SSDEEP
  
  192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/WinShell.dll
- Size
  
  3KB
- MD5
  
  1cc7c37b7e0c8cd8bf04b6cc283e1e56
- SHA1
  
  0b9519763be6625bd5abce175dcc59c96d100d4c
- SHA256
  
  9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
- SHA512
  
  7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/app-64.7z
- Size
  
  69.9MB
- MD5
  
  3a5cae5a7516bd82afd5ce0b043d3187
- SHA1
  
  6073d192aa553b9003514ecf09c40ca4125bf91d
- SHA256
  
  b471cab0dd4e891b7845223fd21df32fca78ecca4d414cddfa3d1995f8f787ed
- SHA512
  
  5bb9766c180f618f19168216941d1bd332ee26bb43be0efb276ff40254ed5d3300a16309dae4649649c9ccdd6e312db8ba0e66c246da967d0c159c94ca3a7c09
- SSDEEP
  
  1572864:ouOdWa6wr7n17jdvIgVWL8ro+f3WUD+y1CxvmkOHFbPwk0iNFByzq:j+WaPrrvwL95I+wCx0l4kz
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  msvcp140.dll
- Size
  
  626KB
- MD5
  
  d396985225d85caa7d743d67c7da6316
- SHA1
  
  915d5829ed02171684c2a9e8b3b57f7a35bc1e2c
- SHA256
  
  be2ef4f6d540d0ac5fddd556dcb6bfaf6cb6288679e4d64882d625ff35f173aa
- SHA512
  
  d7b0df2865bf491c9caf34cbabefb7b7f04b35b85276a59fef0499d02b09651d8f6d0db9e87df4a9a1417f07784a8e5625e9805bc434b87d64e442ab98e24075
- SSDEEP
  
  12288:+/AqzeYd5jcj712LobwFYz0U3lVQEKZm+jWodEEVncj:8x4rYYzr3jQEKZm+jWodEEVu
Score

1^/10
behavioral13 behavioral14
- Target
  
  natives_blob.bin
- Size
  
  170KB
- MD5
  
  7f20917d39abdc8ccac48f8cce93bf09
- SHA1
  
  93c804ac74ce32c17538f04d175f775550946826
- SHA256
  
  a23d9b8422322157c7900b2cc35bf9a8129c08e4b9807dae26f412981b9c1b78
- SHA512
  
  183c4d606af1bc57a5d958d4ff34d9633a23493d18317544e8dd4b05dff010fce249d4ceee646b8f14c9367f509890292df1cd85957a0d2a0ea9f82045559f34
- SSDEEP
  
  3072:YUWt8rxNpyXcsR/H/UxRjh7oSzA/3BWypHEm9bgrluv:YUWOrxNpyXcsRf/UxRjhPzAsmtgi
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  node.dll
- Size
  
  17.7MB
- MD5
  
  18fc37c302204fec082b5e261b75d07e
- SHA1
  
  5703f1df048d94230540b7204aa88d6f7b6102cd
- SHA256
  
  f3a6da8ffb2aba7028195fb2118d8e17c9890bbd29a3e36ea968f5c789633f9d
- SHA512
  
  4ddc2ba0b1887db1c92db302d3551ab9d6cb043a1ebe14fb1461ff020dfe541ff2d6853653128c325b91358a5f51be2242a342479750037d53dd70181ff03299
- SSDEEP
  
  393216:AyDDmLaVxvK+T7nc4fI9EyhrdnZCf8cEQPuUev/QY+Xqd6tYLSugwqtMCGDPAI:RDDmLV+T7ncZTnZzcxqAI
Score

1^/10
behavioral17 behavioral18
- Target
  
  resources/app.asar.unpacked/node_modules/sodium-native/example.js
- Size
  
  824B
- MD5
  
  e302fef20eb86f4a122221c0d6cca1fa
- SHA1
  
  0a56056f602c9d8f5fb9237e5665ae00ed1ad871
- SHA256
  
  faaeb5e05917c9a941012f41358db849e1c9503c577358e0df22e3dbceafe646
- SHA512
  
  d8f12d13ca09b5cc85da248f343f846710a9d6d200842db09d8736c422637afdc30747dba22d4fafe09088aa2b3854e2c3885aa4a2cb7abc4650e38f401f476e
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  resources/app.asar.unpacked/node_modules/sodium-native/index.js
- Size
  
  75B
- MD5
  
  8e2a6819658724049c5a3ff67442fe52
- SHA1
  
  9b8ce84232ae75781dbcc272af3b611ab783e9e0
- SHA256
  
  ad69f6d46abb8085e63949b7ca2fb718d310065abfccbf0ef19a6b186c64d419
- SHA512
  
  06c7693c4b089880ca31f3b32f7bce6ccceab02965c0b45a3544f186eeb12e23f0ae776ba11f882d8f2c928068b94cf1d7892ea3014500f1831a2e46590cadac
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  resources/app.asar.unpacked/node_modules/sodium-native/libsodium/autogen.sh
- Size
  
  759B
- MD5
  
  59ad806baf33f71de630e055553513d9
- SHA1
  
  2acbf8cc882e23e8539b1af5ad2c0335b1d5ee13
- SHA256
  
  7590a052aa09d91f87821714e52d14a742302e0a12d7c11d94119b89e9ba445a
- SHA512
  
  729130ab0c6248984068c1505d2811d05e19d529c4b8b087117e385e81f430bd69e78cd71988e59f5a2920416af4b04eae11644228e1de3c2940dea3072b9223
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  resources/app.asar.unpacked/node_modules/sodium-native/libsodium/builds/msvc/build/buildall.bat
- Size
  
  278B
- MD5
  
  e15c10a05d89deea8bf3973acb3bd0f1
- SHA1
  
  3d5eeb32af18cfb4723327de1a7bd0c371411074
- SHA256
  
  6c7bb5d638e2d5fa911006231a822c71905bc640060187219504833e6446ee11
- SHA512
  
  cd55ea6f703440bbc4a7329893ffb4dd0a66ecfde6f911d2358ce585914f147e747c691d95360bb4eb592de709e9f913a3491783fe91c04aadd9ff15104527e6
Score

1^/10
behavioral25 behavioral26
- Target
  
  resources/app.asar.unpacked/node_modules/sodium-native/libsodium/builds/msvc/build/buildbase.bat
- Size
  
  2KB
- MD5
  
  47d335511bad2861a2a0657aca61ea29
- SHA1
  
  5caa686489ca4e0ff4eabe4fc78f95e0b6c6cc5d
- SHA256
  
  a766b6646c949a74bc82aae36504cb05440c715c27624a7d51331f27cf2dcd4d
- SHA512
  
  269a53910558236fba2a906cda01e1b4f8f2fa104c3cde128127b5e02d0b9485daf4925e724a90ef30517eb71257e12e76bb4fde7aa0394ddc69bf5b9a584f3b
Score

1^/10
behavioral27 behavioral28
- Target
  
  resources/app.asar.unpacked/node_modules/sodium-native/libsodium/msvc-scripts/process.bat
- Size
  
  421B
- MD5
  
  11138a301aea9fde12bcb956cf7f86a4
- SHA1
  
  b1b5cfc04f79406418b5ede054fffcc87eaa4727
- SHA256
  
  d7f6f51d153f8548b4f1126118894e480b8d432a065833c89c2040d92cf522bf
- SHA512
  
  9b0e05056bcfc2154e20669a6b26d6bf2d29539838543a35577abf456949df4db9432ac6256e6780f3c74b7f16088db7c249cc14bd5cc46d93e5a95ed6039d4e
Score

1^/10
behavioral29 behavioral30
- Target
  
  resources/app.asar.unpacked/node_modules/sodium-native/libsodium/msvc-scripts/rep.vbs
- Size
  
  294B
- MD5
  
  108bf1c9f66791bc42f29ba1cffeeabf
- SHA1
  
  d8d9028f4feb794eaf57de06087bfd26e096c4ce
- SHA256
  
  878a2a13ec8d196e073bfff98a78ae7ac0139e5e6dad38a197e8937d191dffd2
- SHA512
  
  0b3df9e53fbedd5a2c207774a3d8e66a892e589978f45b5f644b2737e2bb8b95045a987f1cd0cddce164e72fa695ac6cab9f8bed9400e618c4f908643f71e221
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

zloaderbotnetdiscoverytrojan

behavioral2

zloaderbotnetdiscoverytrojan

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32