Analysis
-
max time kernel
72s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-11-2020 20:00
Static task
static1
Behavioral task
behavioral1
Sample
2020-11-27-ZLoader-DLL-example-02.bin.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
2020-11-27-ZLoader-DLL-example-02.bin.dll
-
Size
285KB
-
MD5
a14d7a30ec304ce96f88347b25cbb668
-
SHA1
092a7a2f5509b92adacacb3b9215e2e61ba633fc
-
SHA256
b513c6fc32ea4666e3be5c62d50336db003f75de5344450c8e4a2d88b8911c06
-
SHA512
939c778efa7ec498b4b8b3d3e0ef9e1ab2f71845ed9a5513673290240fd0ab88b378e5d0ac682da639c2809a070aa538f8f0da762d8d41e584ea2ef46cc64589
Malware Config
Extracted
Family
zloader
Botnet
vek
Campaign
27/11
C2
https://hac3r.com/wp-punch.php
https://womtools.com/wp-punch.php
https://valitec.co/wp-punch.php
https://empresascreciendobien.com/server.php
https://smartat.co/error.php
https://teamearenttopdiaty.ga/wp-smarts.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Blacklisted process makes network request 6 IoCs
Processes:
msiexec.exeflow pid process 17 4176 msiexec.exe 19 4176 msiexec.exe 21 4176 msiexec.exe 23 4176 msiexec.exe 25 4176 msiexec.exe 27 4176 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4864 set thread context of 4176 4864 regsvr32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 4176 msiexec.exe Token: SeSecurityPrivilege 4176 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 4700 wrote to memory of 4864 4700 regsvr32.exe regsvr32.exe PID 4700 wrote to memory of 4864 4700 regsvr32.exe regsvr32.exe PID 4700 wrote to memory of 4864 4700 regsvr32.exe regsvr32.exe PID 4864 wrote to memory of 4176 4864 regsvr32.exe msiexec.exe PID 4864 wrote to memory of 4176 4864 regsvr32.exe msiexec.exe PID 4864 wrote to memory of 4176 4864 regsvr32.exe msiexec.exe PID 4864 wrote to memory of 4176 4864 regsvr32.exe msiexec.exe PID 4864 wrote to memory of 4176 4864 regsvr32.exe msiexec.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\2020-11-27-ZLoader-DLL-example-02.bin.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\2020-11-27-ZLoader-DLL-example-02.bin.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken