zloader | a4711adb921498e7c74af3fd05daaa525f261e7044d457e905dad66767e5b8b4

General

Target

a4711adb921498e7c74af3fd05daaa525f261e7044d457e905dad66767e5b8b4.dll
Size

277KB
MD5

fd0a2b6c6203e4b56d8c73f6323d5d68
SHA1

e87f8d9f7e768f4169355ffda625a80f0e00decb
SHA256

a4711adb921498e7c74af3fd05daaa525f261e7044d457e905dad66767e5b8b4
SHA512

85bc1fd3fba441bbb67d6b75c3f058f2acec396299a012bc0c4ba5c1a5a105c712c54f258a58dc5ef2ef7789a58227d4ce99d14f53ceaf5c3cebdd44fe930c3a

Score

10^/10

zloader nut 30/10 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

30/10

C2

https://creditoacumuladoicms.com.br/npnegt.php

https://morgadoent.co.za/fp3jsl.php

https://access-one.us/clkgmw.php

https://amazonuniverse.in/dgxcee.php

https://ntandingsundhosmala.tk/wp-smarts.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1596 created 1260 1596 rundll32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process	target process
PID 1596 created 1260	1596	rundll32.exe	Explorer.EXE

Blacklisted process makes network request 28 IoCs

Processes:

msiexec.exe

flow	pid	process
7	908	msiexec.exe
8	908	msiexec.exe
9	908	msiexec.exe
10	908	msiexec.exe
11	908	msiexec.exe
12	908	msiexec.exe
13	908	msiexec.exe
14	908	msiexec.exe
15	908	msiexec.exe
16	908	msiexec.exe
17	908	msiexec.exe
18	908	msiexec.exe
19	908	msiexec.exe
20	908	msiexec.exe
21	908	msiexec.exe
22	908	msiexec.exe
23	908	msiexec.exe
24	908	msiexec.exe
25	908	msiexec.exe
26	908	msiexec.exe
28	908	msiexec.exe
29	908	msiexec.exe
30	908	msiexec.exe
31	908	msiexec.exe
33	908	msiexec.exe
34	908	msiexec.exe
35	908	msiexec.exe
36	908	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1596 set thread context of 908 1596 rundll32.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1596 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rundll32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1596 rundll32.exe
Token: SeSecurityPrivilege 908 msiexec.exe
Token: SeSecurityPrivilege 908 msiexec.exe

description	pid	process	target process
PID 1596 set thread context of 908	1596	rundll32.exe	msiexec.exe

pid	process
1596	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1596	rundll32.exe
Token: SeSecurityPrivilege	908	msiexec.exe
Token: SeSecurityPrivilege	908	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 344 wrote to memory of 1596	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1596	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1596	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1596	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1596	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1596	344	rundll32.exe	rundll32.exe
PID 344 wrote to memory of 1596	344	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 908	1596	rundll32.exe	msiexec.exe
PID 1596 wrote to memory of 908	1596	rundll32.exe	msiexec.exe
PID 1596 wrote to memory of 908	1596	rundll32.exe	msiexec.exe
PID 1596 wrote to memory of 908	1596	rundll32.exe	msiexec.exe
PID 1596 wrote to memory of 908	1596	rundll32.exe	msiexec.exe
PID 1596 wrote to memory of 908	1596	rundll32.exe	msiexec.exe
PID 1596 wrote to memory of 908	1596	rundll32.exe	msiexec.exe
PID 1596 wrote to memory of 908	1596	rundll32.exe	msiexec.exe
PID 1596 wrote to memory of 908	1596	rundll32.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4711adb921498e7c74af3fd05daaa525f261e7044d457e905dad66767e5b8b4.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4711adb921498e7c74af3fd05daaa525f261e7044d457e905dad66767e5b8b4.dll,#1
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-2-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/908-1-0x0000000000110000-0x0000000000136000-memory.dmp

Filesize
152KB

Download
memory/908-3-0x0000000000110000-0x0000000000136000-memory.dmp

Filesize
152KB

Download
memory/908-4-0x0000000000000000-mapping.dmp

Download
memory/916-5-0x000007FEF7590000-0x000007FEF780A000-memory.dmp

Filesize
2.5MB

Download
memory/1596-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing