zloader | 19614f57ed86b1305c8e00443ee49f751a62b19df9f1a72f326d939b0fd69e66

Target

batman1.exe
Size

323KB
MD5

afdf2fbc0756ed304d1a33083a5f2b0f
SHA1

f3a25627f925390097a64a84ef34c952fe8af036
SHA256

a947c216ea52ce23457b3babb1e1eb6275cabe2150d3995553e4de4b8c3d97f4
SHA512

1c49e53b21c6cebc7a070667aaf05bc89e1a434270208fb61e54c8d74b8f4f3c70c021567d65e1ae024b16bdddb6f89989434075b9a422f2582d82c861b6ccf1

Score

10^/10

zloader telegramcrypt antiamsidoc botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

TelegramCrypt

Campaign

AntiAMSIdoc

http://wmwifbajxxbcxmucxmlc.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blacklisted process makes network request 31 IoCs

flow	pid	Process
9	1448	msiexec.exe
18	1448	msiexec.exe
19	1448	msiexec.exe
20	1448	msiexec.exe
21	1448	msiexec.exe
22	1448	msiexec.exe
23	1448	msiexec.exe
31	1448	msiexec.exe
32	1448	msiexec.exe
33	1448	msiexec.exe
34	1448	msiexec.exe
35	1448	msiexec.exe
36	1448	msiexec.exe
38	1448	msiexec.exe
39	1448	msiexec.exe
40	1448	msiexec.exe
41	1448	msiexec.exe
42	1448	msiexec.exe
43	1448	msiexec.exe
46	1448	msiexec.exe
47	1448	msiexec.exe
48	1448	msiexec.exe
49	1448	msiexec.exe
50	1448	msiexec.exe
51	1448	msiexec.exe
53	1448	msiexec.exe
60	1448	msiexec.exe
61	1448	msiexec.exe
62	1448	msiexec.exe
63	1448	msiexec.exe
64	1448	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 288 set thread context of 1448	288	batman1.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1448	msiexec.exe
Token: SeSecurityPrivilege	1448	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1448	288	batman1.exe	29
PID 288 wrote to memory of 1448	288	batman1.exe	29
PID 288 wrote to memory of 1448	288	batman1.exe	29
PID 288 wrote to memory of 1448	288	batman1.exe	29
PID 288 wrote to memory of 1448	288	batman1.exe	29
PID 288 wrote to memory of 1448	288	batman1.exe	29
PID 288 wrote to memory of 1448	288	batman1.exe	29
PID 288 wrote to memory of 1448	288	batman1.exe	29
PID 288 wrote to memory of 1448	288	batman1.exe	29

C:\Users\Admin\AppData\Local\Temp\batman1.exe
"C:\Users\Admin\AppData\Local\Temp\batman1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blacklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:1448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-0-0x00000000002CB000-0x00000000002CC000-memory.dmp

Filesize
4KB

Download
memory/288-1-0x0000000001E60000-0x0000000001E71000-memory.dmp

Filesize
68KB

Download
memory/288-2-0x0000000001E60000-0x0000000001E71000-memory.dmp

Filesize
68KB

Download
memory/1448-5-0x0000000000110000-0x0000000000144000-memory.dmp

Filesize
208KB

Download
memory/1448-6-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1448-7-0x0000000000110000-0x0000000000144000-memory.dmp

Filesize
208KB

Download
memory/1592-9-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download

Resubmissions

Analysis

Sharing

General