General

  • Target

    SecuriteInfo.com.Win32.Kryptik.HENB.18157

  • Size

    579KB

  • Sample

    200630-a9v2wz3hds

  • MD5

    a37a8840e9e8d07c73861a1353013ba2

  • SHA1

    403c6a9e7159480ba75f4250f2d946226de92d4b

  • SHA256

    e7f1b2d2601e9a6427a155a3599614c09c9edaae7eb8f10b81e1f3e117717157

  • SHA512

    88e7eb3f6648c7baab747bae3afae839a9b13e12ff8ec861e4df262dbd2ab469de7274c02a716ba0e7fe6ecde4b9fe365f53cd4e9433a389080be92840e0c15c

Malware Config

Targets

    • Target

      SecuriteInfo.com.Win32.Kryptik.HENB.18157

    • Size

      579KB

    • MD5

      a37a8840e9e8d07c73861a1353013ba2

    • SHA1

      403c6a9e7159480ba75f4250f2d946226de92d4b

    • SHA256

      e7f1b2d2601e9a6427a155a3599614c09c9edaae7eb8f10b81e1f3e117717157

    • SHA512

      88e7eb3f6648c7baab747bae3afae839a9b13e12ff8ec861e4df262dbd2ab469de7274c02a716ba0e7fe6ecde4b9fe365f53cd4e9433a389080be92840e0c15c

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blacklisted process makes network request

    • Modifies system certificate store

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Tasks