zloader | 4fb5e1b5eaa6a8f4ff3e80429adaa9f5af1dded814c724a7839f25636530d0e3

General

Target

202.dll
Size

387KB
MD5

d807f97e41c73e54984ebe5a5228be7a
SHA1

3ee769477a72b6dbc39cfed759e6f58d16a96151
SHA256

4fb5e1b5eaa6a8f4ff3e80429adaa9f5af1dded814c724a7839f25636530d0e3
SHA512

36f1fd0b2d7efde2cbd2a76f2986517b3f1917fe3882f5eaf42cc1ac7087370969f6c2627b2662bc1a73f705c57d8a15a093a26a12ec9e479f693a58c46f6d81

Score

10^/10

persistence spyware trojan botnet zloader

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

dllnewheh

C2

https://dsdjfhdsufudhjas.name/gate.php

https://dsdjfhd9ddksaas.com/gate.php

https://dsdjfhdsufudhjas.pw/gate.php

https://dsdjfhd9ddksaas.ru/gate.php

https://dsdjfhdsufudhjas.su/gate.php

https://kdsadisadijdsasm2.com/gate.php

https://dsdjfhdsufudhjas.net/gate.php

https://dsdjfhd9ddksaas.eu/gate.php

03d5ae30a0bd934a23b6a7f0756aa504

rc4.plain

Signatures

Blacklisted process makes network request 18 IoCs

Processes:

msiexec.exe

flow	pid	process
8	1044	msiexec.exe
9	1044	msiexec.exe
10	1044	msiexec.exe
11	1044	msiexec.exe
12	1044	msiexec.exe
13	1044	msiexec.exe
14	1044	msiexec.exe
15	1044	msiexec.exe
16	1044	msiexec.exe
17	1044	msiexec.exe
18	1044	msiexec.exe
19	1044	msiexec.exe
20	1044	msiexec.exe
21	1044	msiexec.exe
22	1044	msiexec.exe
23	1044	msiexec.exe
24	1044	msiexec.exe
25	1044	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1044 msiexec.exe
1044 msiexec.exe

pid	process
1044	msiexec.exe
1044	msiexec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	msiexec.exe

Runs net.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1080 net.exe
1020 net.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1184 set thread context of 1044 1184 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1044 msiexec.exe
Token: SeSecurityPrivilege 1044 msiexec.exe
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

pid	process
1080	net.exe
1020	net.exe

description	pid	process	target process
PID 1184 set thread context of 1044	1184	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1044	msiexec.exe
Token: SeSecurityPrivilege	1044	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gidewoys = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Xeub\\boihug.dll"	msiexec.exe

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

rundll32.exerundll32.exemsiexec.execmd.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 1184	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 1184	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 1184	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 1184	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 1184	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 1184	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 1184	1156	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 1044	1184	rundll32.exe	msiexec.exe
PID 1184 wrote to memory of 1044	1184	rundll32.exe	msiexec.exe
PID 1184 wrote to memory of 1044	1184	rundll32.exe	msiexec.exe
PID 1184 wrote to memory of 1044	1184	rundll32.exe	msiexec.exe
PID 1184 wrote to memory of 1044	1184	rundll32.exe	msiexec.exe
PID 1184 wrote to memory of 1044	1184	rundll32.exe	msiexec.exe
PID 1184 wrote to memory of 1044	1184	rundll32.exe	msiexec.exe
PID 1184 wrote to memory of 1044	1184	rundll32.exe	msiexec.exe
PID 1184 wrote to memory of 1044	1184	rundll32.exe	msiexec.exe
PID 1044 wrote to memory of 1852	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 1852	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 1852	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 1852	1044	msiexec.exe	cmd.exe
PID 1852 wrote to memory of 1944	1852	cmd.exe	ipconfig.exe
PID 1852 wrote to memory of 1944	1852	cmd.exe	ipconfig.exe
PID 1852 wrote to memory of 1944	1852	cmd.exe	ipconfig.exe
PID 1852 wrote to memory of 1944	1852	cmd.exe	ipconfig.exe
PID 1044 wrote to memory of 1984	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 1984	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 1984	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 1984	1044	msiexec.exe	cmd.exe
PID 1984 wrote to memory of 2036	1984	cmd.exe	net.exe
PID 1984 wrote to memory of 2036	1984	cmd.exe	net.exe
PID 1984 wrote to memory of 2036	1984	cmd.exe	net.exe
PID 1984 wrote to memory of 2036	1984	cmd.exe	net.exe
PID 2036 wrote to memory of 1972	2036	net.exe	net1.exe
PID 2036 wrote to memory of 1972	2036	net.exe	net1.exe
PID 2036 wrote to memory of 1972	2036	net.exe	net1.exe
PID 2036 wrote to memory of 1972	2036	net.exe	net1.exe
PID 1044 wrote to memory of 368	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 368	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 368	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 368	1044	msiexec.exe	cmd.exe
PID 368 wrote to memory of 1080	368	cmd.exe	net.exe
PID 368 wrote to memory of 1080	368	cmd.exe	net.exe
PID 368 wrote to memory of 1080	368	cmd.exe	net.exe
PID 368 wrote to memory of 1080	368	cmd.exe	net.exe
PID 1044 wrote to memory of 564	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 564	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 564	1044	msiexec.exe	cmd.exe
PID 1044 wrote to memory of 564	1044	msiexec.exe	cmd.exe
PID 564 wrote to memory of 1020	564	cmd.exe	net.exe
PID 564 wrote to memory of 1020	564	cmd.exe	net.exe
PID 564 wrote to memory of 1020	564	cmd.exe	net.exe
PID 564 wrote to memory of 1020	564	cmd.exe	net.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1944 ipconfig.exe

pid	process
1944	ipconfig.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ipconfig /all
4⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
5⤵
- Modifies service
- Gathers network information
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net config workstation
4⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\net.exe
net config workstation
5⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 config workstation
6⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net view /all
4⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\net.exe
net view /all
5⤵
- Discovers systems in the same network
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net view /all /domain
4⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\net.exe
net view /all /domain
5⤵
- Discovers systems in the same network
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-10-0x0000000000000000-mapping.dmp

Download
memory/564-12-0x0000000000000000-mapping.dmp

Download
memory/1020-13-0x0000000000000000-mapping.dmp

Download
memory/1044-1-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1044-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1044-3-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1044-4-0x0000000000000000-mapping.dmp

Download
memory/1080-11-0x0000000000000000-mapping.dmp

Download
memory/1184-0-0x0000000000000000-mapping.dmp

Download
memory/1852-5-0x0000000000000000-mapping.dmp

Download
memory/1944-6-0x0000000000000000-mapping.dmp

Download
memory/1972-9-0x0000000000000000-mapping.dmp

Download
memory/1984-7-0x0000000000000000-mapping.dmp

Download
memory/2036-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads