zloader | b715ce2fa69bc8384df1a4137b50bc30e05c0f3f557fe8608635744543b9976d

General

Target

sample.bin.dll
Size

360KB
MD5

51e92b188d28211c9d6930ee232c311b
SHA1

f152329df180bc65ea479502346d649b973449bc
SHA256

b715ce2fa69bc8384df1a4137b50bc30e05c0f3f557fe8608635744543b9976d
SHA512

c0d66f831fadb76c3bf197731b58cfa535ec2d658bd3af47024b16b2986b0433ef554be37370c31eeffe06e557d17464c36271d67241018ae76fe68d4281a694

Score

10^/10

trojan botnet zloader

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

08/07

C2

https://rdaprint.in/wp-parsing.php

https://vishweshwarastrology.com/wp-parsing.php

https://statpasapipag.tk/wp-parsing.php

https://www.netinup.it/wp-parsing.php

https://www.oneolimpio.tech/wp-parsing.php

https://hanskingrypgirigolf.ml/wp-parsing.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 900 created 1324	900	rundll32.exe	20

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blacklisted process makes network request 13 IoCs

flow	pid	Process
6	1652	msiexec.exe
8	1652	msiexec.exe
10	1652	msiexec.exe
12	1652	msiexec.exe
13	1652	msiexec.exe
14	1652	msiexec.exe
15	1652	msiexec.exe
16	1652	msiexec.exe
17	1652	msiexec.exe
19	1652	msiexec.exe
21	1652	msiexec.exe
23	1652	msiexec.exe
25	1652	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1652	900	rundll32.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
900	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	rundll32.exe
Token: SeSecurityPrivilege	1652	msiexec.exe
Token: SeSecurityPrivilege	1652	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 900	1056	rundll32.exe	24
PID 1056 wrote to memory of 900	1056	rundll32.exe	24
PID 1056 wrote to memory of 900	1056	rundll32.exe	24
PID 1056 wrote to memory of 900	1056	rundll32.exe	24
PID 1056 wrote to memory of 900	1056	rundll32.exe	24
PID 1056 wrote to memory of 900	1056	rundll32.exe	24
PID 1056 wrote to memory of 900	1056	rundll32.exe	24
PID 900 wrote to memory of 1652	900	rundll32.exe	27
PID 900 wrote to memory of 1652	900	rundll32.exe	27
PID 900 wrote to memory of 1652	900	rundll32.exe	27
PID 900 wrote to memory of 1652	900	rundll32.exe	27
PID 900 wrote to memory of 1652	900	rundll32.exe	27
PID 900 wrote to memory of 1652	900	rundll32.exe	27
PID 900 wrote to memory of 1652	900	rundll32.exe	27
PID 900 wrote to memory of 1652	900	rundll32.exe	27
PID 900 wrote to memory of 1652	900	rundll32.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1324
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sample.bin.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\sample.bin.dll,#1
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:900
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blacklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-1-0x00000000000E0000-0x000000000010C000-memory.dmp

Filesize
176KB

Download
memory/1652-2-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1652-3-0x00000000000E0000-0x000000000010C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing