zloader | ce742b08116021dcf036bd218757a750e37d604e20e55a4e44389ce96e63181e

General

Target

wzBZ2Soy.tmp.exe
Size

124KB
MD5

6c991d5affa2459d95081b49d637443f
SHA1

c367ad2377fedc2c4673a90bb43f627e2c6a8c65
SHA256

ce742b08116021dcf036bd218757a750e37d604e20e55a4e44389ce96e63181e
SHA512

38ad3fd7da004d6b648decc9da6cd2926e1555f4eecf901b7ccc5ff4111086d55a5878107859f30f78ad7f5a73f98d9cc696a399b26986b960e8b1ef35116b32

Score

10^/10

ransomware trojan botnet zloader spyware persistence discovery stealer raccoon backdoor smokeloader

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.09.17 - 05:10:01 GMT Bot_ID: 18823CA4-5761-4226-8787-CF36135F1C68_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 5 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.13 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: LZUKLIOU - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (713 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Extracted

Family

smokeloader

Version

2020

C2

http://dkajsdjiqwdwnfj.info/

http://2831ujedkdajsdj.info/

http://928eijdksasnfss.info/

https://dkajsdjiqwdwnfj.info/

https://2831ujedkdajsdj.info/

https://928eijdksasnfss.info/

rc4.i32

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blacklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

32 2884 msiexec.exe
33 2884 msiexec.exe
Executes dropped EXE 3 IoCs

Processes:

9D4F.exe9E2B.exevvbwvbj

pid process

2264 9D4F.exe
2444 9E2B.exe
2308 vvbwvbj
Deletes itself 1 IoCs

Processes:

pid process

2996
Loads dropped DLL 8 IoCs

Processes:

wzBZ2Soy.tmp.exe9D4F.exevvbwvbj

pid process

3888 wzBZ2Soy.tmp.exe
2264 9D4F.exe
2264 9D4F.exe
2264 9D4F.exe
2264 9D4F.exe
2264 9D4F.exe
2264 9D4F.exe
2308 vvbwvbj
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

yara_rule
raccoon_log_file

flow	pid	process
32	2884	msiexec.exe
33	2884	msiexec.exe

pid	process
2264	9D4F.exe
2444	9E2B.exe
2308	vvbwvbj

pid	process
2996

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybzyi = "C:\\Users\\Admin\\AppData\\Roaming\\Evneq\\ihyte.exe"	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll	js

Suspicious use of SetThreadContext 1 IoCs

Processes:

9E2B.exe

description pid process target process

PID 2444 set thread context of 2884 2444 9E2B.exe msiexec.exe

description	pid	process	target process
PID 2444 set thread context of 2884	2444	9E2B.exe	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wzBZ2Soy.tmp.exevvbwvbj

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wzBZ2Soy.tmp.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wzBZ2Soy.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vvbwvbj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vvbwvbj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vvbwvbj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wzBZ2Soy.tmp.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1920 timeout.exe

pid	process
1920	timeout.exe

Suspicious behavior: EnumeratesProcesses 4308 IoCs

Processes:

wzBZ2Soy.tmp.exe

pid	process
3888	wzBZ2Soy.tmp.exe
3888	wzBZ2Soy.tmp.exe
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

wzBZ2Soy.tmp.exevvbwvbj

pid process

3888 wzBZ2Soy.tmp.exe
2308 vvbwvbj
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 2884 msiexec.exe
Token: SeSecurityPrivilege 2884 msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	2884	msiexec.exe
Token: SeSecurityPrivilege	2884	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

9D4F.execmd.exe9E2B.exe

description	pid	process	target process
PID 2996 wrote to memory of 2264	2996		9D4F.exe
PID 2996 wrote to memory of 2264	2996		9D4F.exe
PID 2996 wrote to memory of 2264	2996		9D4F.exe
PID 2996 wrote to memory of 2444	2996		9E2B.exe
PID 2996 wrote to memory of 2444	2996		9E2B.exe
PID 2996 wrote to memory of 2444	2996		9E2B.exe
PID 2264 wrote to memory of 200	2264	9D4F.exe	cmd.exe
PID 2264 wrote to memory of 200	2264	9D4F.exe	cmd.exe
PID 2264 wrote to memory of 200	2264	9D4F.exe	cmd.exe
PID 200 wrote to memory of 1920	200	cmd.exe	timeout.exe
PID 200 wrote to memory of 1920	200	cmd.exe	timeout.exe
PID 200 wrote to memory of 1920	200	cmd.exe	timeout.exe
PID 2444 wrote to memory of 2884	2444	9E2B.exe	msiexec.exe
PID 2444 wrote to memory of 2884	2444	9E2B.exe	msiexec.exe
PID 2444 wrote to memory of 2884	2444	9E2B.exe	msiexec.exe
PID 2444 wrote to memory of 2884	2444	9E2B.exe	msiexec.exe
PID 2444 wrote to memory of 2884	2444	9E2B.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\wzBZ2Soy.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\wzBZ2Soy.tmp.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3888

C:\Users\Admin\AppData\Local\Temp\9D4F.exe
C:\Users\Admin\AppData\Local\Temp\9D4F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9D4F.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1920

C:\Users\Admin\AppData\Local\Temp\9E2B.exe
C:\Users\Admin\AppData\Local\Temp\9E2B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blacklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

C:\Users\Admin\AppData\Roaming\vvbwvbj
C:\Users\Admin\AppData\Roaming\vvbwvbj
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\210A.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D4F.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D4F.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E2B.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E2B.exe

Download Submit
C:\Users\Admin\AppData\Roaming\vvbwvbj

Download Submit
C:\Users\Admin\AppData\Roaming\vvbwvbj

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\210A.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\210A.tmp

Download Submit
memory/200-23-0x0000000000000000-mapping.dmp

Download
memory/1920-24-0x0000000000000000-mapping.dmp

Download
memory/2264-11-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/2264-12-0x0000000007D00000-0x0000000007D8F000-memory.dmp

Filesize
572KB

Download
memory/2264-4-0x0000000000000000-mapping.dmp

Download
memory/2308-26-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/2308-25-0x0000000006268000-0x0000000006269000-memory.dmp

Filesize
4KB

Download
memory/2444-14-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/2444-13-0x0000000006088000-0x0000000006089000-memory.dmp

Filesize
4KB

Download
memory/2444-7-0x0000000000000000-mapping.dmp

Download
memory/2884-30-0x0000000000790000-0x00000000007BC000-memory.dmp

Filesize
176KB

Download
memory/2884-31-0x0000000000000000-mapping.dmp

Download
memory/2996-3-0x0000000000900000-0x0000000000916000-memory.dmp

Filesize
88KB

Download
memory/2996-29-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/3888-1-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/3888-0-0x0000000006019000-0x000000000601A000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads