ZLoader / Parasite Stealer Analysis
Sample Analysis:
Basic file info:
Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures.
- Filename : winhost.exe (sample2.exe)
- File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
- MD5 : 4f54446d3b9115dcce714bb68cd54abf
- ImpHash: f34d5f2d4577ed6d9ceec516c1f5a744
- Family : ZLoader (COVID-19 Campaign )
Dropped files:
Files created / dropped by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox
- C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe
- C:\Users\admin\AppData\Local\Temp\c08e67e7-d17e-42f4-84a8-059771d01a58\AgileDotNetRT.dll
- C:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\about.log
- C:\Users\admin\Documents\t.zip
Process Events:
Process's created by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox
- %windir%\System32\svchost.exe -k WerSvcGroup
- wmiadap.exe /F /T /R
- %windir%\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
- %windir%\system32\wbem\wmiprvse.exe
- "%TEMP%\AddInProcess32.exe"
Registry Events:
Registry changes made by parent sample during dynamic analysis powered by Cyberstanc's Swatbox
- HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\ndis.sys[MofResourceName]
- HKLM\Software\Microsoft\WBEM\WDM\%windir%\System32\Drivers\portcls.SYS[PortclsMof]
- HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\advapi32.dll[MofResourceName]
- HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\en-US\mssmbios.sys.mui[MofResource]
- AddInProcess32.exe| write | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Network Events:
Potential network connections made/attempted by parent sample during dynamic analysis powered by Cyberstanc's Swatbox
- 45.8.230.206:80 (http://45.8.230.206/gate.php)
Dynamic Runtime:
Full malware runtime recorded inside Cyberstanc's Swatbox
Mitre TTP's:
Hybrid analysis artifacts collected by Cyberstanc's Swatbox are mapped to MITRE ATTACK framework
- Obfuscated File (T1027)
- Virtualization / Sandbox Checks (T1497)
- Credential in files (T1081)
Killchain Vectors:
Hybrid analysis artifacts collected by Cyberstanc's Swatbox are mapped to potential killchain vectors that can be used to stop the execution of the malware
- .Net packer enabled
For detailed analysis of the sample please kindly download Swatbox's automated malware analysis report :
Interested for more ?
Shoot us an email right away if you are interested in our products at [email protected]