zloader | d7ea78ed27fd9b409d82b101317e7fc3f513efe456de24d62c13d443033e3165

General

Target

d7ea78ed27fd9b409d82b101317e7fc3f513efe456de24d62c13d443033e3165
Size

199KB
Sample

240918-fzhkvavame
MD5

7366f05f1ae2ac01e37e0e1585471611
SHA1

38fec58363128d9f2722cb0662b30c20740e9685
SHA256

d7ea78ed27fd9b409d82b101317e7fc3f513efe456de24d62c13d443033e3165
SHA512

8af15534ca621210adf23d22da1f859f76fb10a6857e07167f23cb53ebff39c51d0b38fa7caa26c4de76a63f066ca070f0ff30139dd46335fefd6c9ccebd71ad
SSDEEP

3072:if1BDZ0kVB67Duw9AMcizbPgpgNCfG0UeiWv10DxjumDqcEf/hypWqY3ZRV4+kLX:i9X0G24p2x0HXvSDZTgfZypW9mbb

Score

10^/10

zloader sg sg botnet discovery trojan

Malware Config

Extracted

Family

zloader

Botnet

SG

Campaign

SG

C2

https://imagn.at/LKhwojehDgwegSDG/gateJKjdsh.php

https://freebreez.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://makaronz.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://ricklick.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://litlblockblack.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://vaktorianpackif.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://hbamefphmqsdgkqojgwe.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://wuktmlbilrsbvsbkdetb.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://yrsfuaegsevyffrfsgpj.com/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes

build_id
107

rc4.plain

rsa_pubkey.plain

Targets

- Target
  
  d7ea78ed27fd9b409d82b101317e7fc3f513efe456de24d62c13d443033e3165
- Size
  
  199KB
- MD5
  
  7366f05f1ae2ac01e37e0e1585471611
- SHA1
  
  38fec58363128d9f2722cb0662b30c20740e9685
- SHA256
  
  d7ea78ed27fd9b409d82b101317e7fc3f513efe456de24d62c13d443033e3165
- SHA512
  
  8af15534ca621210adf23d22da1f859f76fb10a6857e07167f23cb53ebff39c51d0b38fa7caa26c4de76a63f066ca070f0ff30139dd46335fefd6c9ccebd71ad
- SSDEEP
  
  3072:if1BDZ0kVB67Duw9AMcizbPgpgNCfG0UeiWv10DxjumDqcEf/hypWqY3ZRV4+kLX:i9X0G24p2x0HXvSDZTgfZypW9mbb
Score

10^/10

zloader sg sg botnet discovery trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Loads dropped DLL
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fccff8cb7a1067e23fd2e2b63971a8e1
- SHA1
  
  30e2a9e137c1223a78a0f7b0bf96a1c361976d91
- SHA256
  
  6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
- SHA512
  
  f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
- SSDEEP
  
  192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Zloader, Terdot, DELoader, ZeusSphinx

Loads dropped DLL

Blocklisted process makes network request

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4