zloader | b8a7600b813dbd100629f8353a30592f21163319ab6229b1b46c2693483b2ae1

Analysis

max time kernel
111s
max time network
132s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 06:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Sample.bin.dll
Size

376KB
MD5

21d81add38d164fcf3afac2d306163d4
SHA1

f8df53445ba6cacdc63c7b9d1c666fbcf97c54f7
SHA256

b8a7600b813dbd100629f8353a30592f21163319ab6229b1b46c2693483b2ae1
SHA512

159d83e66d9521a310a87c248cce95c436d2098545c4ba041782185d40e3cef290b3a011267bf29c11e34c3ce5dde8f64d94014c55af69ec90430ce36bb59096

Score

10^/10

trojan botnet zloader

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

09/07

http://draminski-retail.eu/wp-parsing.php

http://duanyong.top/wp-parsing.php

http://eternalstarculture.com/wp-parsing.php

http://gh99.cn/wp-parsing.php

https://nalighpicseracha.tk/wp-parsing.php

http://glossy.vn/wp-parsing.php

http://jiangchi.name/wp-parsing.php

https://roeslidegeralic.gq/wp-parsing.php

http://mawi.io/wp-parsing.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2144 created 2988	2144	rundll32.exe	55

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blacklisted process makes network request 14 IoCs

flow	pid	Process
5	2680	msiexec.exe
7	2680	msiexec.exe
9	2680	msiexec.exe
11	2680	msiexec.exe
13	2680	msiexec.exe
15	2680	msiexec.exe
17	2680	msiexec.exe
19	2680	msiexec.exe
21	2680	msiexec.exe
23	2680	msiexec.exe
24	2680	msiexec.exe
26	2680	msiexec.exe
28	2680	msiexec.exe
29	2680	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2144 set thread context of 2680	2144	rundll32.exe	69

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2144	rundll32.exe
2144	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	rundll32.exe
Token: SeSecurityPrivilege	2680	msiexec.exe
Token: SeSecurityPrivilege	2680	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2144	2416	rundll32.exe	68
PID 2416 wrote to memory of 2144	2416	rundll32.exe	68
PID 2416 wrote to memory of 2144	2416	rundll32.exe	68
PID 2144 wrote to memory of 2680	2144	rundll32.exe	69
PID 2144 wrote to memory of 2680	2144	rundll32.exe	69
PID 2144 wrote to memory of 2680	2144	rundll32.exe	69
PID 2144 wrote to memory of 2680	2144	rundll32.exe	69
PID 2144 wrote to memory of 2680	2144	rundll32.exe	69

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2988
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Sample.bin.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Sample.bin.dll,#1
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blacklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2680-1-0x0000000000B40000-0x0000000000B6C000-memory.dmp

Filesize
176KB

Download