zloader | a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc

Target

ebook_29.10.20.exe
Size

310KB
MD5

cd1f5e41d727816c6ca5e6c073130df4
SHA1

5d9a72b2b721aa7834d3f3bb07225ce48d4bc3fb
SHA256

a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc
SHA512

4f88ce58d61fa0eb4fc8ad2ce068a3044bcc7f205819cab5c39a998147f034869994c849ee022b487d3708d62167cc766d406e4310d301be1e51b1b1a7f3c588

Score

10^/10

zloader r1 r1 botnet persistence spyware trojan

Malware Config

Extracted

Family

zloader

Botnet

Campaign

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1032 created 1216	1032	ebook_29.10.20.exe	21

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blacklisted process makes network request 36 IoCs

flow	pid	Process
6	1544	msiexec.exe
8	1544	msiexec.exe
9	1544	msiexec.exe
10	1544	msiexec.exe
11	1544	msiexec.exe
12	1544	msiexec.exe
13	1544	msiexec.exe
14	1544	msiexec.exe
15	1544	msiexec.exe
16	1544	msiexec.exe
17	1544	msiexec.exe
18	1544	msiexec.exe
19	1544	msiexec.exe
20	1544	msiexec.exe
21	1544	msiexec.exe
22	1544	msiexec.exe
23	1544	msiexec.exe
24	1544	msiexec.exe
25	1544	msiexec.exe
26	1544	msiexec.exe
27	1544	msiexec.exe
29	1544	msiexec.exe
30	1544	msiexec.exe
31	1544	msiexec.exe
32	1544	msiexec.exe
33	1544	msiexec.exe
34	1544	msiexec.exe
35	1544	msiexec.exe
36	1544	msiexec.exe
37	1544	msiexec.exe
38	1544	msiexec.exe
39	1544	msiexec.exe
40	1544	msiexec.exe
42	1544	msiexec.exe
43	1544	msiexec.exe
44	1544	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1032 set thread context of 1544	1032	ebook_29.10.20.exe	29

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1344	net.exe
1656	net.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1744	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1032	ebook_29.10.20.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	ebook_29.10.20.exe
Token: SeSecurityPrivilege	1544	msiexec.exe
Token: SeSecurityPrivilege	1544	msiexec.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1544	1032	ebook_29.10.20.exe	29
PID 1032 wrote to memory of 1544	1032	ebook_29.10.20.exe	29
PID 1032 wrote to memory of 1544	1032	ebook_29.10.20.exe	29
PID 1032 wrote to memory of 1544	1032	ebook_29.10.20.exe	29
PID 1032 wrote to memory of 1544	1032	ebook_29.10.20.exe	29
PID 1032 wrote to memory of 1544	1032	ebook_29.10.20.exe	29
PID 1032 wrote to memory of 1544	1032	ebook_29.10.20.exe	29
PID 1032 wrote to memory of 1544	1032	ebook_29.10.20.exe	29
PID 1032 wrote to memory of 1544	1032	ebook_29.10.20.exe	29
PID 1544 wrote to memory of 1380	1544	msiexec.exe	32
PID 1544 wrote to memory of 1380	1544	msiexec.exe	32
PID 1544 wrote to memory of 1380	1544	msiexec.exe	32
PID 1544 wrote to memory of 1380	1544	msiexec.exe	32
PID 1380 wrote to memory of 1744	1380	cmd.exe	34
PID 1380 wrote to memory of 1744	1380	cmd.exe	34
PID 1380 wrote to memory of 1744	1380	cmd.exe	34
PID 1380 wrote to memory of 1744	1380	cmd.exe	34
PID 1544 wrote to memory of 2020	1544	msiexec.exe	35
PID 1544 wrote to memory of 2020	1544	msiexec.exe	35
PID 1544 wrote to memory of 2020	1544	msiexec.exe	35
PID 1544 wrote to memory of 2020	1544	msiexec.exe	35
PID 2020 wrote to memory of 1884	2020	cmd.exe	37
PID 2020 wrote to memory of 1884	2020	cmd.exe	37
PID 2020 wrote to memory of 1884	2020	cmd.exe	37
PID 2020 wrote to memory of 1884	2020	cmd.exe	37
PID 1884 wrote to memory of 2000	1884	net.exe	38
PID 1884 wrote to memory of 2000	1884	net.exe	38
PID 1884 wrote to memory of 2000	1884	net.exe	38
PID 1884 wrote to memory of 2000	1884	net.exe	38
PID 1544 wrote to memory of 604	1544	msiexec.exe	39
PID 1544 wrote to memory of 604	1544	msiexec.exe	39
PID 1544 wrote to memory of 604	1544	msiexec.exe	39
PID 1544 wrote to memory of 604	1544	msiexec.exe	39
PID 604 wrote to memory of 1344	604	cmd.exe	41
PID 604 wrote to memory of 1344	604	cmd.exe	41
PID 604 wrote to memory of 1344	604	cmd.exe	41
PID 604 wrote to memory of 1344	604	cmd.exe	41
PID 1544 wrote to memory of 1832	1544	msiexec.exe	42
PID 1544 wrote to memory of 1832	1544	msiexec.exe	42
PID 1544 wrote to memory of 1832	1544	msiexec.exe	42
PID 1544 wrote to memory of 1832	1544	msiexec.exe	42
PID 1832 wrote to memory of 1656	1832	cmd.exe	44
PID 1832 wrote to memory of 1656	1832	cmd.exe	44
PID 1832 wrote to memory of 1656	1832	cmd.exe	44
PID 1832 wrote to memory of 1656	1832	cmd.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\ebook_29.10.20.exe
  "C:\Users\Admin\AppData\Local\Temp\ebook_29.10.20.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blacklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Modifies service
      Gathers network information
      PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net config workstation
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\net.exe
      net config workstation
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 config workstation
        5⤵
        
        PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net view /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Windows\SysWOW64\net.exe
      net view /all
      4⤵
      Discovers systems in the same network
      PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net view /all /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\net.exe
      net view /all /domain
      4⤵
      Discovers systems in the same network
      PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-1-0x0000000001F20000-0x0000000001F31000-memory.dmp

Filesize
68KB

Download
memory/1032-2-0x0000000001F20000-0x0000000001F31000-memory.dmp

Filesize
68KB

Download
memory/1032-0-0x000000000030B000-0x000000000030C000-memory.dmp

Filesize
4KB

Download
memory/1484-10-0x000007FEF71F0000-0x000007FEF746A000-memory.dmp

Filesize
2.5MB

Download
memory/1544-5-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1544-7-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1544-6-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1544-20-0x00000000055C0000-0x000000000579B000-memory.dmp

Filesize
1.9MB

Download