Overview

overview

10

Static

static

n4.exe

windows7_x64

10

n4.exe

windows10_x64

10

Resubmissions

04-08-2023 09:59

230804-lz5y2aad94 10

03-08-2023 16:52

230803-vdwb5sfh5t 10

06-11-2020 00:36

201106-mvjrspwr32 10

Analysis

  • max time kernel
    44s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    06-11-2020 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    n4.exe

  • Size

    285KB

  • MD5

    bcdae9f51c056a8bdfda1ab7dd9291f9

  • SHA1

    e25e061296177376ffb63a8679dab6294609d436

  • SHA256

    d0bef870592d1095d72178c27b2ce81dc94163aa30fa0742d6d428a1485ae459

  • SHA512

    06e2843889fdc5106af1e92047f14b49c01b1d6601225083f370fee355d58d7ea1d180ade81fde03d10b752fba0a4096193edfae5360473af5dcd930b67109b9

Score
10/10
zloaderr2r2botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

r2

Campaign

r2

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php
rc4.plain
rsa_pubkey.plain

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blacklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\n4.exe
        "C:\Users\Admin\AppData\Local\Temp\n4.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Users\Admin\AppData\Local\Temp\n4.exe
          "C:\Users\Admin\AppData\Local\Temp\n4.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1704
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        2⤵
        • Blacklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:1236

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/288-0-0x000000000026C000-0x000000000026D000-memory.dmp
      Filesize

      4KB

      Download
    • memory/288-1-0x0000000002010000-0x0000000002021000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1236-6-0x0000000000090000-0x0000000000091000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1236-5-0x00000000000E0000-0x0000000000106000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1236-7-0x00000000000E0000-0x0000000000106000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1236-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1368-9-0x000007FEF7140000-0x000007FEF73BA000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1704-2-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1704-3-0x000000000040FAE0-mapping.dmp
      Download
    • memory/1704-4-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download