zloader | 7b74a2825e4352648153af617a569148e5f1622b545ca0687294cc495e4e608d

Resubmissions

08-12-2024 11:26

241208-njzhesskcy 6

09-11-2024 16:51

241109-vc24as1lgj 10

Sharing

Copy URL

Twitter E-mail

General

Target

1101.mp4
Size

94.1MB
Sample

241109-vc24as1lgj
MD5

85d336d15357f8959cd9ae5625d2bede
SHA1

6fbb5b9c69dceacd9bb14b88c446d7582b89da25
SHA256

7b74a2825e4352648153af617a569148e5f1622b545ca0687294cc495e4e608d
SHA512

93d635eded48c0687ef6e599d3aa6c47ad534b272fcf3f8b5bd3a9e77895a351b170ecc73501b2efd100002c881b050d45aa239a22ad6294c6f34d01a4536e5d
SSDEEP

1572864:jUmwT45vSpJqY9FWAwK/Wf28BxV496iaFNCSXHgTVl9iweVkh7J+je0DfIspWkuL:9wT9/9nrKy6iaqIA5izDwspWks

Score

10^/10

Malware Config

Targets

- Target
  
  1101.mp4
- Size
  
  94.1MB
- MD5
  
  85d336d15357f8959cd9ae5625d2bede
- SHA1
  
  6fbb5b9c69dceacd9bb14b88c446d7582b89da25
- SHA256
  
  7b74a2825e4352648153af617a569148e5f1622b545ca0687294cc495e4e608d
- SHA512
  
  93d635eded48c0687ef6e599d3aa6c47ad534b272fcf3f8b5bd3a9e77895a351b170ecc73501b2efd100002c881b050d45aa239a22ad6294c6f34d01a4536e5d
- SSDEEP
  
  1572864:jUmwT45vSpJqY9FWAwK/Wf28BxV496iaFNCSXHgTVl9iweVkh7J+je0DfIspWkuL:9wT9/9nrKy6iaqIA5izDwspWks
Score

10^/10

zloader botnet steam defense_evasion discovery evasion motw persistence phishing privilege_escalation ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Contacts a large (879) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Disables RegEdit via registry modification
  evasion
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- A potential corporate email address has been identified in the URL: 0E920C0F53DA9E9B0A490D45@AdobeOrg
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Detected potential entity reuse from brand STEAM.
  phishing steam
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1