zloader | 3dd800b875aa0ef2fa0923babdd4b162555a1c3ff3c58e9291d45fff82389816

General

Target

tfR5r4pw.dll
Size

634KB
MD5

004d3ff1fe0ec1d0a90913f1238f293f
SHA1

fe3a1f35f5c21ce72a1ef05cbf2824a51827a5f2
SHA256

3dd800b875aa0ef2fa0923babdd4b162555a1c3ff3c58e9291d45fff82389816
SHA512

d8ad97df2d05d9ab88ed3e96e2e7c24efb57ec090737943f52548b1c39e2de9eaf270e20baa0728a31ffdc8745444abf18c07dbca4cce3f3a553c0709d8693ea

Score

10^/10

trojan botnet zloader persistence spyware

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

02/07

C2

https://tedxminna.com/wp-parsing.php

https://roeslidegeralic.gq/wp-parsing.php

https://tccgroup.com.tw/wp-parsing.php

https://marufait.com/wp-parsing.php

https://blackandprecious.com/wp-parsing.php

https://resources.digilentinc.com/wp-parsing.php

https://phywebtmoonsthevil.gq/wp-parsing.php

https://ews.asia/wp-parsing.php

https://ews1.icu/wp-parsing.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1552 created 1228 1552 rundll32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process	target process
PID 1552 created 1228	1552	rundll32.exe	Explorer.EXE

Blacklisted process makes network request 64 IoCs

Processes:

msiexec.exe

flow	pid	process
6	1884	msiexec.exe
7	1884	msiexec.exe
8	1884	msiexec.exe
9	1884	msiexec.exe
10	1884	msiexec.exe
11	1884	msiexec.exe
12	1884	msiexec.exe
13	1884	msiexec.exe
14	1884	msiexec.exe
15	1884	msiexec.exe
16	1884	msiexec.exe
17	1884	msiexec.exe
18	1884	msiexec.exe
19	1884	msiexec.exe
20	1884	msiexec.exe
21	1884	msiexec.exe
22	1884	msiexec.exe
23	1884	msiexec.exe
24	1884	msiexec.exe
25	1884	msiexec.exe
26	1884	msiexec.exe
28	1884	msiexec.exe
29	1884	msiexec.exe
30	1884	msiexec.exe
32	1884	msiexec.exe
33	1884	msiexec.exe
34	1884	msiexec.exe
35	1884	msiexec.exe
36	1884	msiexec.exe
37	1884	msiexec.exe
38	1884	msiexec.exe
39	1884	msiexec.exe
40	1884	msiexec.exe
41	1884	msiexec.exe
42	1884	msiexec.exe
43	1884	msiexec.exe
44	1884	msiexec.exe
45	1884	msiexec.exe
46	1884	msiexec.exe
47	1884	msiexec.exe
48	1884	msiexec.exe
49	1884	msiexec.exe
50	1884	msiexec.exe
51	1884	msiexec.exe
52	1884	msiexec.exe
53	1884	msiexec.exe
54	1884	msiexec.exe
55	1884	msiexec.exe
56	1884	msiexec.exe
57	1884	msiexec.exe
58	1884	msiexec.exe
59	1884	msiexec.exe
60	1884	msiexec.exe
61	1884	msiexec.exe
62	1884	msiexec.exe
63	1884	msiexec.exe
64	1884	msiexec.exe
65	1884	msiexec.exe
66	1884	msiexec.exe
67	1884	msiexec.exe
68	1884	msiexec.exe
69	1884	msiexec.exe
70	1884	msiexec.exe
71	1884	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1552 set thread context of 1884 1552 rundll32.exe msiexec.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

760 net.exe
1392 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2004 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exemsiexec.exe

pid process

1552 rundll32.exe
1884 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rundll32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1552 rundll32.exe
Token: SeSecurityPrivilege 1884 msiexec.exe
Token: SeSecurityPrivilege 1884 msiexec.exe

description	pid	process	target process
PID 1552 set thread context of 1884	1552	rundll32.exe	msiexec.exe

pid	process
760	net.exe
1392	net.exe

pid	process
2004	ipconfig.exe

pid	process
1552	rundll32.exe
1884	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	1552	rundll32.exe
Token: SeSecurityPrivilege	1884	msiexec.exe
Token: SeSecurityPrivilege	1884	msiexec.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

rundll32.exerundll32.exemsiexec.execmd.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 1552	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1552	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1552	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1552	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1552	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1552	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1552	1492	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1884	1552	rundll32.exe	msiexec.exe
PID 1552 wrote to memory of 1884	1552	rundll32.exe	msiexec.exe
PID 1552 wrote to memory of 1884	1552	rundll32.exe	msiexec.exe
PID 1552 wrote to memory of 1884	1552	rundll32.exe	msiexec.exe
PID 1552 wrote to memory of 1884	1552	rundll32.exe	msiexec.exe
PID 1552 wrote to memory of 1884	1552	rundll32.exe	msiexec.exe
PID 1552 wrote to memory of 1884	1552	rundll32.exe	msiexec.exe
PID 1552 wrote to memory of 1884	1552	rundll32.exe	msiexec.exe
PID 1552 wrote to memory of 1884	1552	rundll32.exe	msiexec.exe
PID 1884 wrote to memory of 2040	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 2040	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 2040	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 2040	1884	msiexec.exe	cmd.exe
PID 2040 wrote to memory of 2004	2040	cmd.exe	ipconfig.exe
PID 2040 wrote to memory of 2004	2040	cmd.exe	ipconfig.exe
PID 2040 wrote to memory of 2004	2040	cmd.exe	ipconfig.exe
PID 2040 wrote to memory of 2004	2040	cmd.exe	ipconfig.exe
PID 1884 wrote to memory of 1220	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 1220	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 1220	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 1220	1884	msiexec.exe	cmd.exe
PID 1220 wrote to memory of 884	1220	cmd.exe	net.exe
PID 1220 wrote to memory of 884	1220	cmd.exe	net.exe
PID 1220 wrote to memory of 884	1220	cmd.exe	net.exe
PID 1220 wrote to memory of 884	1220	cmd.exe	net.exe
PID 884 wrote to memory of 1264	884	net.exe	net1.exe
PID 884 wrote to memory of 1264	884	net.exe	net1.exe
PID 884 wrote to memory of 1264	884	net.exe	net1.exe
PID 884 wrote to memory of 1264	884	net.exe	net1.exe
PID 1884 wrote to memory of 1020	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 1020	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 1020	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 1020	1884	msiexec.exe	cmd.exe
PID 1020 wrote to memory of 760	1020	cmd.exe	net.exe
PID 1020 wrote to memory of 760	1020	cmd.exe	net.exe
PID 1020 wrote to memory of 760	1020	cmd.exe	net.exe
PID 1020 wrote to memory of 760	1020	cmd.exe	net.exe
PID 1884 wrote to memory of 1408	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 1408	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 1408	1884	msiexec.exe	cmd.exe
PID 1884 wrote to memory of 1408	1884	msiexec.exe	cmd.exe
PID 1408 wrote to memory of 1392	1408	cmd.exe	net.exe
PID 1408 wrote to memory of 1392	1408	cmd.exe	net.exe
PID 1408 wrote to memory of 1392	1408	cmd.exe	net.exe
PID 1408 wrote to memory of 1392	1408	cmd.exe	net.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tfR5r4pw.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tfR5r4pw.dll,#1
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ipconfig /all
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Modifies service
- Gathers network information
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net config workstation
3⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\net.exe
net config workstation
4⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 config workstation
5⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net view /all
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net view /all /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\net.exe
net view /all /domain
4⤵
- Discovers systems in the same network
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-11-0x0000000000000000-mapping.dmp

Download
memory/884-8-0x0000000000000000-mapping.dmp

Download
memory/1020-10-0x0000000000000000-mapping.dmp

Download
memory/1220-7-0x0000000000000000-mapping.dmp

Download
memory/1264-9-0x0000000000000000-mapping.dmp

Download
memory/1392-13-0x0000000000000000-mapping.dmp

Download
memory/1408-12-0x0000000000000000-mapping.dmp

Download
memory/1552-0-0x0000000000000000-mapping.dmp

Download
memory/1884-3-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/1884-4-0x0000000000000000-mapping.dmp

Download
memory/1884-2-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1884-1-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/2004-6-0x0000000000000000-mapping.dmp

Download
memory/2040-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads