Overview

overview

10

Static

static

2020-11-27...in.dll

windows7_x64

10

2020-11-27...in.dll

windows10_x64

10

Analysis

  • max time kernel
    72s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-11-2020 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2020-11-27-ZLoader-DLL-example-02.bin.dll

  • Size

    285KB

  • MD5

    a14d7a30ec304ce96f88347b25cbb668

  • SHA1

    092a7a2f5509b92adacacb3b9215e2e61ba633fc

  • SHA256

    b513c6fc32ea4666e3be5c62d50336db003f75de5344450c8e4a2d88b8911c06

  • SHA512

    939c778efa7ec498b4b8b3d3e0ef9e1ab2f71845ed9a5513673290240fd0ab88b378e5d0ac682da639c2809a070aa538f8f0da762d8d41e584ea2ef46cc64589

Score
10/10
zloadervek27/11botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

vek

Campaign

27/11

C2

https://hac3r.com/wp-punch.php

https://womtools.com/wp-punch.php

https://valitec.co/wp-punch.php

https://empresascreciendobien.com/server.php

https://smartat.co/error.php

https://teamearenttopdiaty.ga/wp-smarts.php
rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blacklisted process makes network request 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2020-11-27-ZLoader-DLL-example-02.bin.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\2020-11-27-ZLoader-DLL-example-02.bin.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blacklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:4176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4176-3-0x00000000005D0000-0x00000000005F6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/4176-4-0x0000000000000000-mapping.dmp
    Download
  • memory/4864-2-0x0000000000000000-mapping.dmp
    Download