Resubmissions
08-12-2023 11:08
231208-m8mdqaba46 1001-11-2020 09:14
201101-da931xqx5x 1001-11-2020 08:59
201101-jwsyvmsbls 10Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-11-2020 08:59
General
-
Target
batman1.exe
-
Size
323KB
-
MD5
afdf2fbc0756ed304d1a33083a5f2b0f
-
SHA1
f3a25627f925390097a64a84ef34c952fe8af036
-
SHA256
a947c216ea52ce23457b3babb1e1eb6275cabe2150d3995553e4de4b8c3d97f4
-
SHA512
1c49e53b21c6cebc7a070667aaf05bc89e1a434270208fb61e54c8d74b8f4f3c70c021567d65e1ae024b16bdddb6f89989434075b9a422f2582d82c861b6ccf1
Malware Config
Extracted
zloader
TelegramCrypt
AntiAMSIdoc
http://wmwifbajxxbcxmucxmlc.com/post.php
http://pwkqhdgytsshkoibaake.com/post.php
http://snnmnkxdhflwgthqismb.com/post.php
http://iawfqecrwohcxnhwtofa.com/post.php
http://nlbmfsyplohyaicmxhum.com/post.php
http://fvqlkgedqjiqgapudkgq.com/post.php
http://cmmxhurildiigqghlryq.com/post.php
http://nmqsmbiabjdnuushksas.com/post.php
http://fyratyubvflktyyjiqgq.com/post.php
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Blacklisted process makes network request 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\batman1.exe"C:\Users\Admin\AppData\Local\Temp\batman1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4208-2-0x0000000000960000-0x0000000000994000-memory.dmpFilesize
208KB
-
memory/4208-3-0x0000000000000000-mapping.dmp
-
memory/4756-0-0x0000000000759000-0x000000000075A000-memory.dmpFilesize
4KB
-
memory/4756-1-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB