zloader | 3428603e92a29c1d256f2d0d3c74d8dd9f8ea3eb7f56cc5204ce035395c1e3e3

General

Target

zloader 2_1.0.11.1.vir.exe
Size

441KB
MD5

97d3b83e66faa406dcc2ce87131edafc
SHA1

b825619c830b8da429cc83f526d4b88867c6308f
SHA256

3428603e92a29c1d256f2d0d3c74d8dd9f8ea3eb7f56cc5204ce035395c1e3e3
SHA512

c4fcb9d2449c5de8400507c8a36d1bebe67dd181f2693cd4248a89db10c40c0b13c5e8a3413cd0c67cdcfe088c6611282e7364bbd1c6837ea15c673a1f3a873e

Score

10^/10

trojan botnet zloader persistence

Malware Config

Extracted

Family

zloader

Botnet

on

Campaign

fallout

C2

https://ifjedssofllvcr.com/jbYm9bt/NlGkb4ivk.php

https://isfjiaaodwsoi.com/jbYm9bt/NlGkb4ivk.php

https://mslfiedjssfdes.com/jbYm9bt/NlGkb4ivk.php

https://sifeiwdjiesde.com/jbYm9bt/NlGkb4ivk.php

https://sldeodjiweiswi.com/jbYm9bt/NlGkb4ivk.php

rc4.plain

Signatures

Suspicious use of SetThreadContext 2 IoCs

Processes:

zloader 2_1.0.11.1.vir.exezloader 2_1.0.11.1.vir.exe

description	pid	process	target process
PID 336 set thread context of 1096	336	zloader 2_1.0.11.1.vir.exe	zloader 2_1.0.11.1.vir.exe
PID 1096 set thread context of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1500 msiexec.exe
Token: SeSecurityPrivilege 1500 msiexec.exe
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ygydc = "C:\\Users\\Admin\\AppData\\Roaming\\Cobu\\fafad.exe"	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

zloader 2_1.0.11.1.vir.exezloader 2_1.0.11.1.vir.exe

description	pid	process	target process
PID 336 wrote to memory of 1096	336	zloader 2_1.0.11.1.vir.exe	zloader 2_1.0.11.1.vir.exe
PID 336 wrote to memory of 1096	336	zloader 2_1.0.11.1.vir.exe	zloader 2_1.0.11.1.vir.exe
PID 336 wrote to memory of 1096	336	zloader 2_1.0.11.1.vir.exe	zloader 2_1.0.11.1.vir.exe
PID 336 wrote to memory of 1096	336	zloader 2_1.0.11.1.vir.exe	zloader 2_1.0.11.1.vir.exe
PID 336 wrote to memory of 1096	336	zloader 2_1.0.11.1.vir.exe	zloader 2_1.0.11.1.vir.exe
PID 336 wrote to memory of 1096	336	zloader 2_1.0.11.1.vir.exe	zloader 2_1.0.11.1.vir.exe
PID 1096 wrote to memory of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe
PID 1096 wrote to memory of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe
PID 1096 wrote to memory of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe
PID 1096 wrote to memory of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe
PID 1096 wrote to memory of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe
PID 1096 wrote to memory of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe
PID 1096 wrote to memory of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe
PID 1096 wrote to memory of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe
PID 1096 wrote to memory of 1500	1096	zloader 2_1.0.11.1.vir.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.11.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.11.1.vir.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.11.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader 2_1.0.11.1.vir.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-2-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/1096-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1096-1-0x0000000000408D70-mapping.dmp

Download
memory/1096-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1500-4-0x0000000000090000-0x00000000000B1000-memory.dmp

Filesize
132KB

Download
memory/1500-5-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1500-6-0x0000000000090000-0x00000000000B1000-memory.dmp

Filesize
132KB

Download
memory/1500-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads