ZLoader / Parasite Stealer Analysis

Sample Analysis:

Basic file info:

Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures.

• Filename : winhost.exe (sample2.exe)
• File Type :  PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
• MD5 :  4f54446d3b9115dcce714bb68cd54abf
• ImpHash: f34d5f2d4577ed6d9ceec516c1f5a744
• Family : ZLoader (COVID-19 Campaign )

Dropped files:

Files created / dropped by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox

• C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe
• C:\Users\admin\AppData\Local\Temp\c08e67e7-d17e-42f4-84a8-059771d01a58\AgileDotNetRT.dll
• C:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\about.log
• C:\Users\admin\Documents\t.zip

Process Events:

Process's created by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox

• %windir%\System32\svchost.exe -k WerSvcGroup
• wmiadap.exe /F /T /R
• %windir%\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
• %windir%\system32\wbem\wmiprvse.exe
• "%TEMP%\AddInProcess32.exe"

Registry Events:

Registry changes made by parent sample during dynamic analysis powered by Cyberstanc's Swatbox

• HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\ndis.sys[MofResourceName]
• HKLM\Software\Microsoft\WBEM\WDM\%windir%\System32\Drivers\portcls.SYS[PortclsMof]
• HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\advapi32.dll[MofResourceName]
• HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\en-US\mssmbios.sys.mui[MofResource]
• AddInProcess32.exe| write | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Network Events:

Potential network connections made/attempted by parent sample during dynamic analysis powered by Cyberstanc's Swatbox

• 45.8.230.206:80 (http://45.8.230.206/gate.php)

Dynamic Runtime:

Full malware runtime recorded inside Cyberstanc's Swatbox

Mitre TTP's:

Hybrid analysis artifacts collected by Cyberstanc's Swatbox  are mapped to MITRE ATTACK framework

• Obfuscated File (T1027)
• Virtualization / Sandbox Checks (T1497)
• Credential in files (T1081)

Killchain Vectors:

Hybrid analysis artifacts collected by Cyberstanc's Swatbox  are mapped to potential killchain vectors that can be used to stop the execution of the malware

• .Net packer enabled

For detailed analysis of the sample please kindly download Swatbox's automated malware analysis report :

https://cyberstanc.com/uploads/eae911d2-863f-4d0e-b977-25761729a917/eae911d2-863f-4d0e-b977-25761729a917.pdf

Interested for more ?

Shoot us an email right away if you are interested in our products at [email protected]