Pulse Detail — Threat Intelligence

PULSE NAME

ESET takes part in global operation to disrupt Zloader botnets | WeLiveSecurity

WHITE mohdrennis 2022-04-17 Modified: 2022-04-17

102

IOCs

HIGH VOLUME

Zloader is one of the world’s most dangerous banking trojan families, and ESET researchers have been closely monitoring its activity and evolution since it was announced and advertised in underground forums.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1068 T1566 T1496 T1090 T1003 T1005 T1008 T1012 T1016 T1027 T1033 T1036 T1041 T1047 T1055 T1056 T1057 T1059 T1070 T1071 T1074 T1082 T1083 T1106 T1113 T1124 T1140 T1189 T1204 T1219 T1482 T1489 T1490 T1518 T1529 T1539 T1547 T1548 T1553 T1555 T1557 T1560 T1562 T1568 T1573 T1583 T1584 T1587 T1588

MALWARE FAMILIES

Zloader Zbot KY NKA ADI HODI Cobalt Strike HOGN ADUM PHL PHM AO HNLQ Ursnif

Indicators of Compromise (102)

All URL CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://endoftheendi.com/12.exe	—	2022-04-17
URL	https://cmdadminu.com	—	2022-04-17
URL	https://datalystoy.com	—	2022-04-17
URL	https://teamworks455.com	—	2022-04-17
URL	https://updatemsicheck.com	—	2022-04-17
CVE	CVE-2012-0151	—	2022-04-17
CVE	CVE-2013-3900	—	2022-04-17
FileHash-MD5	03d5ae30a0bd934a23b6a7f0756aa504	—	2022-04-17
FileHash-MD5	077cfbe2754d9bdd984cebff7b925ad8	MD5 of 30d8ba32daf9e18e9e3ce564fc117a2faf738405	2022-04-17
FileHash-MD5	5cae01aea8ed390ce9bec17b6c1237e4	MD5 of 3a80a49efaac5d839400e4fb8f803243fb39a513	2022-04-17
FileHash-MD5	5ce59cd58a34bc0530e398330013ee77	MD5 of f3b3cf03801527c24f9059f475a9d87e5392dae9	2022-04-17
FileHash-MD5	66863e846cd5360736c868038b4d8a02	MD5 of e7d7be1f1fe04f6708efb8f0f258471d856f8f8f	2022-04-17
FileHash-MD5	800f1fbfda6fa368cd469f5bdff644b0	MD5 of fa1db6808d4b4d58de6f7798a807dd4bea5b9bf7	2022-04-17
FileHash-MD5	ae2b147bba8bbe97300ee12fa439d19b	MD5 of 4858bc02452a266ea3e1a0dd84a31fa050134fb8	2022-04-17
FileHash-MD5	e5f69cf5e3b412444c4ad60defefc861	MD5 of f4879eb2c159c4e73139d1ac5d5c8862af8f1719	2022-04-17
FileHash-SHA1	23d38e876772a4e28f1b8b6aaf03e18c7cfe5757	—	2022-04-17
FileHash-SHA1	30d8ba32daf9e18e9e3ce564fc117a2faf738405	—	2022-04-17
FileHash-SHA1	33fd41e6fd2ccf3dfb0fcb90eb7f27e5eab2a0b3	—	2022-04-17
FileHash-SHA1	3a80a49efaac5d839400e4fb8f803243fb39a513	—	2022-04-17
FileHash-SHA1	462e242ef2e6bad389dab845c68dd41493f91c89	—	2022-04-17
FileHash-SHA1	4858bc02452a266ea3e1a0dd84a31fa050134fb8	—	2022-04-17
FileHash-SHA1	5a4e5ee60cb674b2bfcd583ee3641d7825d78221	—	2022-04-17
FileHash-SHA1	5aa2f377c73a0e73e7e81a606ca35bc07331ef51	—	2022-04-17
FileHash-SHA1	9d3e6b2f91547d891f0716004358a8952479c14d	—	2022-04-17
FileHash-SHA1	a187d9c0b4bdb4d0b5c1d2bdbcb65090dcee5d8c	—	2022-04-17
FileHash-SHA1	bd989516f902c0b4aff7bcf32db511452355d7c5	—	2022-04-17
FileHash-SHA1	beab91a74563df8049a894d5a2542dd8843553c2	—	2022-04-17
FileHash-SHA1	e4274681989347fabb22050a5ad14fe66ffdc000	—	2022-04-17
FileHash-SHA1	e7d7be1f1fe04f6708efb8f0f258471d856f8f8f	—	2022-04-17
FileHash-SHA1	f3b3cf03801527c24f9059f475a9d87e5392dae9	—	2022-04-17
FileHash-SHA1	f4879eb2c159c4e73139d1ac5d5c8862af8f1719	—	2022-04-17
FileHash-SHA1	fa1db6808d4b4d58de6f7798a807dd4bea5b9bf7	—	2022-04-17
FileHash-SHA256	19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618	SHA256 of 3a80a49efaac5d839400e4fb8f803243fb39a513	2022-04-17
FileHash-SHA256	5da3db74eee74412c1290393a0a0487c63b2c022e57aebcd632f0c3caf23d8bc	SHA256 of fa1db6808d4b4d58de6f7798a807dd4bea5b9bf7	2022-04-17
FileHash-SHA256	5f02551d7a9d3021e59c22c84147874e78019417480ed3e792197743fb48c2a0	SHA256 of 30d8ba32daf9e18e9e3ce564fc117a2faf738405	2022-04-17
FileHash-SHA256	950ad539dfc8e16c07d24dbb37ae19daa0b2f32164ba0cb3c81fa7e689f274e1	SHA256 of f3b3cf03801527c24f9059f475a9d87e5392dae9	2022-04-17
FileHash-SHA256	b83a51edb03adbaf47fd133a6d8e3139906d3dc4d70eb06d45f45815db8bbb85	SHA256 of f4879eb2c159c4e73139d1ac5d5c8862af8f1719	2022-04-17
FileHash-SHA256	c3dcb0b174fe9b61f8f20d829f0b05fdf04848fc7087f53b7de1e4d91e8042dd	SHA256 of e7d7be1f1fe04f6708efb8f0f258471d856f8f8f	2022-04-17
FileHash-SHA256	f537cfc1c44ea27081e917e92f2909a8a5c81695a7954add30a6e6e4fd22c85f	SHA256 of 4858bc02452a266ea3e1a0dd84a31fa050134fb8	2022-04-17
URL	http://1.3.27.0	—	2022-04-17
URL	http://1.6.28.0	—	2022-04-17
URL	http://1.8.30.0	—	2022-04-17
URL	https://aerulonoured.su	—	2022-04-17
URL	https://asdfghdsajkl.com/gate.php	—	2022-04-17
URL	https://braves.fun/racoon.exe	—	2022-04-17
URL	https://checksoftupdate.com	—	2022-04-17
URL	https://clouds222.com	—	2022-04-17
URL	https://commandaadmin.com	—	2022-04-17
URL	https://daksjuggdhwa.com/gate.php	—	2022-04-17
URL	https://djshggadasj.com/gate.php	—	2022-04-17
URL	https://dkisuaggdjhna.com/gate.php	—	2022-04-17
URL	https://dotxvcnjlvdajkwerwoh.com	—	2022-04-17
URL	https://dquggwjhdmq.com/gate.php	—	2022-04-17
URL	https://eiqwuggejqw.com/gate.php	—	2022-04-17
URL	https://endoftheendi.com	—	2022-04-17
URL	https://endoftheendi.com/us.dll	—	2022-04-17
URL	https://iasudjghnasd.com/gate.php	—	2022-04-17
URL	https://kdjwhqejqwij.com/gate.php	—	2022-04-17
URL	https://kjdhsasghjds.com/gate.php	—	2022-04-17
URL	https://lkjhgfgsdshja.com/gate.php	—	2022-04-17
URL	https://porno3xgirls.fun	—	2022-04-17
URL	https://porno3xgirls.space	—	2022-04-17
URL	https://porno3xgirls.website	—	2022-04-17
URL	https://pornokeyxxx.pw	—	2022-04-17
URL	https://pornoxxxguru.space	—	2022-04-17
URL	https://porxnoxxx.pw	—	2022-04-17
URL	https://porxnoxxx.site	—	2022-04-17
URL	https://rec.kindplanet.us	—	2022-04-17
URL	https://sofftsportal.su	—	2022-04-17
URL	https://teamworks455.com/_country/check.php	4581c84f0d415b6f3405c104afafd04d621a1e76bf4f93de7babb8c5507456af	2022-04-17
domain	aerulonoured.su	—	2022-04-17
domain	asdfghdsajkl.com	—	2022-04-17
domain	braves.fun	—	2022-04-17
domain	checksoftupdate.com	—	2022-04-17
domain	clouds222.com	—	2022-04-17
domain	cmdadminu.com	—	2022-04-17
domain	commandaadmin.com	—	2022-04-17
domain	daksjuggdhwa.com	—	2022-04-17
domain	datalystoy.com	—	2022-04-17
domain	djshggadasj.com	—	2022-04-17
domain	dkisuaggdjhna.com	—	2022-04-17
domain	dotxvcnjlvdajkwerwoh.com	—	2022-04-17
domain	dquggwjhdmq.com	—	2022-04-17
domain	eiqwuggejqw.com	—	2022-04-17
domain	endoftheendi.com	—	2022-04-17
domain	iasudjghnasd.com	—	2022-04-17
domain	kdjwhqejqwij.com	—	2022-04-17
domain	kjdhsasghjds.com	—	2022-04-17
domain	lkjhgfgsdshja.com	—	2022-04-17
domain	porno3xgirls.fun	—	2022-04-17
domain	porno3xgirls.space	—	2022-04-17
domain	porno3xgirls.website	—	2022-04-17
domain	pornokeyxxx.pw	—	2022-04-17
domain	pornoxxxguru.space	—	2022-04-17
domain	porxnoxxx.pw	—	2022-04-17
domain	porxnoxxx.site	—	2022-04-17
domain	sofftsportal.su	—	2022-04-17
domain	teamworks455.com	—	2022-04-17
domain	updatemsicheck.com	—	2022-04-17
email	ario.hi@rover.info	—	2022-04-17
hostname	rec.kindplanet.us	—	2022-04-17
hostname	trojandownloader.agent.ky	—	2022-04-17

References (1)

↗ https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/