Overview

overview

10

Static

static

tfR5r4pw.dll

windows7_x64

10

tfR5r4pw.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tfR5r4pw

  • Size

    634KB

  • Sample

    200702-7gtctk4t9x

  • MD5

    004d3ff1fe0ec1d0a90913f1238f293f

  • SHA1

    fe3a1f35f5c21ce72a1ef05cbf2824a51827a5f2

  • SHA256

    3dd800b875aa0ef2fa0923babdd4b162555a1c3ff3c58e9291d45fff82389816

  • SHA512

    d8ad97df2d05d9ab88ed3e96e2e7c24efb57ec090737943f52548b1c39e2de9eaf270e20baa0728a31ffdc8745444abf18c07dbca4cce3f3a553c0709d8693ea

Score
10/10
zloadernut02/07botnetpersistencespywaretrojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

02/07

C2

https://tedxminna.com/wp-parsing.php

https://roeslidegeralic.gq/wp-parsing.php

https://tccgroup.com.tw/wp-parsing.php

https://marufait.com/wp-parsing.php

https://blackandprecious.com/wp-parsing.php

https://resources.digilentinc.com/wp-parsing.php

https://phywebtmoonsthevil.gq/wp-parsing.php

https://ews.asia/wp-parsing.php

https://ews1.icu/wp-parsing.php
rc4.plain
rsa_pubkey.plain

Targets

    • Target

      tfR5r4pw

    • Size

      634KB

    • MD5

      004d3ff1fe0ec1d0a90913f1238f293f

    • SHA1

      fe3a1f35f5c21ce72a1ef05cbf2824a51827a5f2

    • SHA256

      3dd800b875aa0ef2fa0923babdd4b162555a1c3ff3c58e9291d45fff82389816

    • SHA512

      d8ad97df2d05d9ab88ed3e96e2e7c24efb57ec090737943f52548b1c39e2de9eaf270e20baa0728a31ffdc8745444abf18c07dbca4cce3f3a553c0709d8693ea

    Score
    10/10
    trojanbotnetzloaderpersistencespyware

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

      trojanbotnetzloader

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Blacklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks