zloader | 6593fa326b8eb0b737a17889c50c539ac45f2f9215fdab50ffa62df1be7ec2d1

General

Target

s.dll
Size

1.0MB
MD5

ff1ad63517df53adaefcbeecf71311a1
SHA1

69e3f9bbbf147d317da8bd59de3cdb3ca9043c6d
SHA256

6593fa326b8eb0b737a17889c50c539ac45f2f9215fdab50ffa62df1be7ec2d1
SHA512

f6de532a3fdb91dcfacd11442f80876037f4d6d0a382ac891ef0b03e5131596b7d3554d04d55d0d4f71a8990b2298da7bd344804f422e7cb909a981f83e7bc52

Score

10^/10

zloader miguel 14/05 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

miguel

Campaign

14/05

C2

https://kickapoochiefsfootball.com/wp-parser.php

https://appsbispo.tk/wp-parser.php

http://staging4.allemny.net/wp-parser.php

https://dinghaomcc.com/wp-parser.php

https://bondarenkopjatk.ru/wp-parser.php

http://euromix.com.ua/wp-parser.php

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blacklisted process makes network request 8 IoCs

Processes:

msiexec.exe

flow pid process

6 536 msiexec.exe
8 536 msiexec.exe
9 536 msiexec.exe
11 536 msiexec.exe
19 536 msiexec.exe
21 536 msiexec.exe
23 536 msiexec.exe
24 536 msiexec.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1332 set thread context of 536 1332 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 536 msiexec.exe
Token: SeSecurityPrivilege 536 msiexec.exe

flow	pid	process
6	536	msiexec.exe
8	536	msiexec.exe
9	536	msiexec.exe
11	536	msiexec.exe
19	536	msiexec.exe
21	536	msiexec.exe
23	536	msiexec.exe
24	536	msiexec.exe

description	pid	process	target process
PID 1332 set thread context of 536	1332	regsvr32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	536	msiexec.exe
Token: SeSecurityPrivilege	536	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1032 wrote to memory of 1332	1032	regsvr32.exe	regsvr32.exe
PID 1032 wrote to memory of 1332	1032	regsvr32.exe	regsvr32.exe
PID 1032 wrote to memory of 1332	1032	regsvr32.exe	regsvr32.exe
PID 1032 wrote to memory of 1332	1032	regsvr32.exe	regsvr32.exe
PID 1032 wrote to memory of 1332	1032	regsvr32.exe	regsvr32.exe
PID 1032 wrote to memory of 1332	1032	regsvr32.exe	regsvr32.exe
PID 1032 wrote to memory of 1332	1032	regsvr32.exe	regsvr32.exe
PID 1332 wrote to memory of 536	1332	regsvr32.exe	msiexec.exe
PID 1332 wrote to memory of 536	1332	regsvr32.exe	msiexec.exe
PID 1332 wrote to memory of 536	1332	regsvr32.exe	msiexec.exe
PID 1332 wrote to memory of 536	1332	regsvr32.exe	msiexec.exe
PID 1332 wrote to memory of 536	1332	regsvr32.exe	msiexec.exe
PID 1332 wrote to memory of 536	1332	regsvr32.exe	msiexec.exe
PID 1332 wrote to memory of 536	1332	regsvr32.exe	msiexec.exe
PID 1332 wrote to memory of 536	1332	regsvr32.exe	msiexec.exe
PID 1332 wrote to memory of 536	1332	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\s.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\s.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-2-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/536-1-0x0000000000090000-0x00000000000C5000-memory.dmp

Filesize
212KB

Download
memory/536-4-0x0000000000000000-mapping.dmp

Download
memory/536-3-0x0000000000090000-0x00000000000C5000-memory.dmp

Filesize
212KB

Download
memory/1052-5-0x000007FEF6380000-0x000007FEF65FA000-memory.dmp

Filesize
2.5MB

Download
memory/1332-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing