zloader | b8a7600b813dbd100629f8353a30592f21163319ab6229b1b46c2693483b2ae1

General

Target

Sample.bin.dll
Size

376KB
MD5

21d81add38d164fcf3afac2d306163d4
SHA1

f8df53445ba6cacdc63c7b9d1c666fbcf97c54f7
SHA256

b8a7600b813dbd100629f8353a30592f21163319ab6229b1b46c2693483b2ae1
SHA512

159d83e66d9521a310a87c248cce95c436d2098545c4ba041782185d40e3cef290b3a011267bf29c11e34c3ce5dde8f64d94014c55af69ec90430ce36bb59096

Score

10^/10

trojan botnet zloader

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

09/07

C2

http://draminski-retail.eu/wp-parsing.php

http://duanyong.top/wp-parsing.php

http://eternalstarculture.com/wp-parsing.php

http://gh99.cn/wp-parsing.php

https://nalighpicseracha.tk/wp-parsing.php

http://glossy.vn/wp-parsing.php

http://jiangchi.name/wp-parsing.php

https://roeslidegeralic.gq/wp-parsing.php

http://mawi.io/wp-parsing.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1184 created 1248	1184	rundll32.exe	20

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blacklisted process makes network request 13 IoCs

flow	pid	Process
5	1536	msiexec.exe
7	1536	msiexec.exe
9	1536	msiexec.exe
11	1536	msiexec.exe
13	1536	msiexec.exe
15	1536	msiexec.exe
17	1536	msiexec.exe
19	1536	msiexec.exe
21	1536	msiexec.exe
23	1536	msiexec.exe
24	1536	msiexec.exe
26	1536	msiexec.exe
27	1536	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 1536	1184	rundll32.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1184	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	rundll32.exe
Token: SeSecurityPrivilege	1536	msiexec.exe
Token: SeSecurityPrivilege	1536	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1184	1156	rundll32.exe	24
PID 1156 wrote to memory of 1184	1156	rundll32.exe	24
PID 1156 wrote to memory of 1184	1156	rundll32.exe	24
PID 1156 wrote to memory of 1184	1156	rundll32.exe	24
PID 1156 wrote to memory of 1184	1156	rundll32.exe	24
PID 1156 wrote to memory of 1184	1156	rundll32.exe	24
PID 1156 wrote to memory of 1184	1156	rundll32.exe	24
PID 1184 wrote to memory of 1536	1184	rundll32.exe	27
PID 1184 wrote to memory of 1536	1184	rundll32.exe	27
PID 1184 wrote to memory of 1536	1184	rundll32.exe	27
PID 1184 wrote to memory of 1536	1184	rundll32.exe	27
PID 1184 wrote to memory of 1536	1184	rundll32.exe	27
PID 1184 wrote to memory of 1536	1184	rundll32.exe	27
PID 1184 wrote to memory of 1536	1184	rundll32.exe	27
PID 1184 wrote to memory of 1536	1184	rundll32.exe	27
PID 1184 wrote to memory of 1536	1184	rundll32.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Sample.bin.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Sample.bin.dll,#1
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1184
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blacklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:1536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-1-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1536-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1536-3-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing