zloader | a50844184119e66e5d3a663be6d2d57d72a6748b6ce2d11974c688c8bc40d710

Resubmissions

02-11-2020 07:00

201102-kdx16rhl5a 10

01-11-2020 18:45

201101-xwtjyyb6hn 1

Analysis

max time kernel
261s
max time network
263s
platform
windows7_x64
resource
win7v20201028
submitted
02-11-2020 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd91abd60357f47d4a163df3fc27b795.exe
Size

291KB
MD5

bd91abd60357f47d4a163df3fc27b795
SHA1

7e572733b2ef7266dfdb237c32d73919df6ae298
SHA256

a50844184119e66e5d3a663be6d2d57d72a6748b6ce2d11974c688c8bc40d710
SHA512

4ad41d25cd85d16e5bc932ee68dcb79ed4845e679e7b14f23a32f7a57fc5aa783e0cd2eb7f5b58e7c8918e81f316bcffb7c658efc1d25223576b5383df39e604

Score

10^/10

zloader r1 r1 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

Campaign

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

bd91abd60357f47d4a163df3fc27b795.exe

description pid process target process

PID 1644 created 1272 1644 bd91abd60357f47d4a163df3fc27b795.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blacklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

6 1672 msiexec.exe
8 1672 msiexec.exe
9 1672 msiexec.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bd91abd60357f47d4a163df3fc27b795.exe

description pid process target process

PID 1644 set thread context of 1672 1644 bd91abd60357f47d4a163df3fc27b795.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bd91abd60357f47d4a163df3fc27b795.exe

pid process

1644 bd91abd60357f47d4a163df3fc27b795.exe

description	pid	process	target process
PID 1644 created 1272	1644	bd91abd60357f47d4a163df3fc27b795.exe	Explorer.EXE

flow	pid	process
6	1672	msiexec.exe
8	1672	msiexec.exe
9	1672	msiexec.exe

description	pid	process	target process
PID 1644 set thread context of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe

pid	process
1644	bd91abd60357f47d4a163df3fc27b795.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bd91abd60357f47d4a163df3fc27b795.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1644	bd91abd60357f47d4a163df3fc27b795.exe
Token: SeSecurityPrivilege	1672	msiexec.exe
Token: SeSecurityPrivilege	1672	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bd91abd60357f47d4a163df3fc27b795.exe

description	pid	process	target process
PID 1644 wrote to memory of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe
PID 1644 wrote to memory of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe
PID 1644 wrote to memory of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe
PID 1644 wrote to memory of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe
PID 1644 wrote to memory of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe
PID 1644 wrote to memory of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe
PID 1644 wrote to memory of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe
PID 1644 wrote to memory of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe
PID 1644 wrote to memory of 1672	1644	bd91abd60357f47d4a163df3fc27b795.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\bd91abd60357f47d4a163df3fc27b795.exe
"C:\Users\Admin\AppData\Local\Temp\bd91abd60357f47d4a163df3fc27b795.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Uzuz
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1084-10-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp

Filesize
2.5MB

Download
memory/1644-0-0x0000000002479000-0x000000000247A000-memory.dmp

Filesize
4KB

Download
memory/1644-1-0x0000000003C70000-0x0000000003C81000-memory.dmp

Filesize
68KB

Download
memory/1644-2-0x0000000003C70000-0x0000000003C81000-memory.dmp

Filesize
68KB

Download
memory/1672-5-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1672-6-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1672-7-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1672-8-0x0000000000000000-mapping.dmp

Download