Scrutinize Files Before Ransomware Runs !!


ZLoader / Parasite Stealer Analysis

Sample Analysis:

Basic file info:

Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures.

Dropped files:

Files created / dropped by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox

  • C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe
  • C:\Users\admin\AppData\Local\Temp\c08e67e7-d17e-42f4-84a8-059771d01a58\AgileDotNetRT.dll
  • C:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\about.log
  • C:\Users\admin\Documents\t.zip

Process Events:

Process's created by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox

Registry Events:

Registry changes made by parent sample during dynamic analysis powered by Cyberstanc's Swatbox
  • HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\ndis.sys[MofResourceName]
  • HKLM\Software\Microsoft\WBEM\WDM\%windir%\System32\Drivers\portcls.SYS[PortclsMof]
  • HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\advapi32.dll[MofResourceName]
  • HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\en-US\mssmbios.sys.mui[MofResource]
  • AddInProcess32.exe| write | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Network Events:

Potential network connections made/attempted by parent sample during dynamic analysis powered by Cyberstanc's Swatbox
  • 45.8.230.206:80 (http://45.8.230.206/gate.php)

Dynamic Runtime:

Full malware runtime recorded inside Cyberstanc's Swatbox

changed.exe (4f54446d3b9115dcce714bb68cd54abf)

Mitre TTP's:

Hybrid analysis artifacts collected by Cyberstanc's Swatbox  are mapped to MITRE ATTACK framework
  • Obfuscated File (T1027)
  • Virtualization / Sandbox Checks (T1497)
  • Credential in files (T1081)

Killchain Vectors:

Hybrid analysis artifacts collected by Cyberstanc's Swatbox  are mapped to potential killchain vectors that can be used to stop the execution of the malware
  • .Net packer enabled

For detailed analysis of the sample please kindly download Swatbox's automated malware analysis report :

https://cyberstanc.com/uploads/eae911d2-863f-4d0e-b977-25761729a917/eae911d2-863f-4d0e-b977-25761729a917.pdf

Interested for more ?

Shoot us an email right away if you are interested in our products at [email protected]