Overview

overview

10

Static

static

spam20.dll

windows7_x64

10

spam20.dll

windows10_x64

10

Resubmissions

08-12-2023 11:29

231208-nlsgwsbd65 10

08-12-2023 11:20

231208-nfveasbc54 10

31-10-2020 11:20

201031-z3tgqqzt76 10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    31-10-2020 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spam20.dll

  • Size

    358KB

  • MD5

    6501006a6d47bc73976db9f3385c3c46

  • SHA1

    53082a7fa62dc4fe54586df6a6e481fe8beca1aa

  • SHA256

    c55e3938e9c2c9d00235d8ed87a55adc18fa1c6377a9ee0fd6212916c67d0020

  • SHA512

    df63e60f12d153e16b78464162dbd5d052192a1e09814eb91e21d28256a652ae04eb7ccdaf4022c95c9779edfbe15df7a708717a1c247cfe2d16e8d9f911bf0c

Score
10/10
zloadercrypto1cryptobotnettrojan

Malware Config

Extracted

Family

zloader

Botnet

crypto1

Campaign

crypto

C2

http://wmwifbajxxbcxmucxmlc.com/post.php

http://ojnxjgfjlftfkkuxxiqd.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php
rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blacklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\spam20.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\spam20.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blacklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:3912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3912-1-0x0000000000CB0000-0x0000000000CE4000-memory.dmp

    Filesize

    208KB

    Download