zloader | 3326d4607b164078735ee55313992c18e83e6b87b75faf350b8c61a99eb2b659

General

Target

3599f01a6162db10307b75c7132c06db.dll
Size

634KB
MD5

3599f01a6162db10307b75c7132c06db
SHA1

363a23608cccc5d39393c51eb9570e624aef8558
SHA256

3326d4607b164078735ee55313992c18e83e6b87b75faf350b8c61a99eb2b659
SHA512

c63566de21e4aba265ae80a51f56a9622e4bdac40430b477d269304f6793f062742728ebf4ba9457cf48c3d9bd654b81d48fbec7f1b304392f51d14efa1ebafd

Score

10^/10

trojan botnet zloader

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

02/07

C2

https://tedxminna.com/wp-parsing.php

https://roeslidegeralic.gq/wp-parsing.php

https://tccgroup.com.tw/wp-parsing.php

https://marufait.com/wp-parsing.php

https://blackandprecious.com/wp-parsing.php

https://resources.digilentinc.com/wp-parsing.php

https://phywebtmoonsthevil.gq/wp-parsing.php

https://ews.asia/wp-parsing.php

https://ews1.icu/wp-parsing.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1512 created 1244 1512 rundll32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process	target process
PID 1512 created 1244	1512	rundll32.exe	Explorer.EXE

Blacklisted process makes network request 87 IoCs

Processes:

msiexec.exe

flow	pid	process
6	1852	msiexec.exe
7	1852	msiexec.exe
8	1852	msiexec.exe
9	1852	msiexec.exe
10	1852	msiexec.exe
11	1852	msiexec.exe
12	1852	msiexec.exe
13	1852	msiexec.exe
14	1852	msiexec.exe
15	1852	msiexec.exe
16	1852	msiexec.exe
17	1852	msiexec.exe
18	1852	msiexec.exe
19	1852	msiexec.exe
20	1852	msiexec.exe
21	1852	msiexec.exe
22	1852	msiexec.exe
23	1852	msiexec.exe
24	1852	msiexec.exe
25	1852	msiexec.exe
26	1852	msiexec.exe
28	1852	msiexec.exe
29	1852	msiexec.exe
30	1852	msiexec.exe
32	1852	msiexec.exe
34	1852	msiexec.exe
35	1852	msiexec.exe
36	1852	msiexec.exe
37	1852	msiexec.exe
38	1852	msiexec.exe
39	1852	msiexec.exe
40	1852	msiexec.exe
41	1852	msiexec.exe
42	1852	msiexec.exe
43	1852	msiexec.exe
44	1852	msiexec.exe
45	1852	msiexec.exe
46	1852	msiexec.exe
47	1852	msiexec.exe
48	1852	msiexec.exe
49	1852	msiexec.exe
50	1852	msiexec.exe
51	1852	msiexec.exe
52	1852	msiexec.exe
53	1852	msiexec.exe
54	1852	msiexec.exe
56	1852	msiexec.exe
57	1852	msiexec.exe
58	1852	msiexec.exe
60	1852	msiexec.exe
61	1852	msiexec.exe
62	1852	msiexec.exe
63	1852	msiexec.exe
64	1852	msiexec.exe
65	1852	msiexec.exe
66	1852	msiexec.exe
67	1852	msiexec.exe
68	1852	msiexec.exe
69	1852	msiexec.exe
70	1852	msiexec.exe
71	1852	msiexec.exe
72	1852	msiexec.exe
73	1852	msiexec.exe
74	1852	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1512 set thread context of 1852 1512 rundll32.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1512 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rundll32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1512 rundll32.exe
Token: SeSecurityPrivilege 1852 msiexec.exe
Token: SeSecurityPrivilege 1852 msiexec.exe

description	pid	process	target process
PID 1512 set thread context of 1852	1512	rundll32.exe	msiexec.exe

pid	process
1512	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1512	rundll32.exe
Token: SeSecurityPrivilege	1852	msiexec.exe
Token: SeSecurityPrivilege	1852	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1440 wrote to memory of 1512	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 1512	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 1512	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 1512	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 1512	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 1512	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 1512	1440	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 1852	1512	rundll32.exe	msiexec.exe
PID 1512 wrote to memory of 1852	1512	rundll32.exe	msiexec.exe
PID 1512 wrote to memory of 1852	1512	rundll32.exe	msiexec.exe
PID 1512 wrote to memory of 1852	1512	rundll32.exe	msiexec.exe
PID 1512 wrote to memory of 1852	1512	rundll32.exe	msiexec.exe
PID 1512 wrote to memory of 1852	1512	rundll32.exe	msiexec.exe
PID 1512 wrote to memory of 1852	1512	rundll32.exe	msiexec.exe
PID 1512 wrote to memory of 1852	1512	rundll32.exe	msiexec.exe
PID 1512 wrote to memory of 1852	1512	rundll32.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3599f01a6162db10307b75c7132c06db.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3599f01a6162db10307b75c7132c06db.dll,#1
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-0-0x0000000000000000-mapping.dmp

Download
memory/1852-1-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1852-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1852-3-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1852-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing