zloader | 550187abd3b47d3796a1811dc016c935069ac631996de7cd428ae986b39b2107

General

Target

XRqW4.exe.dll
Size

320KB
MD5

7ebb3ae8efec620294fdfa3e99da78ea
SHA1

a545d8cd080a7237465ba3c63f8119d03369e005
SHA256

550187abd3b47d3796a1811dc016c935069ac631996de7cd428ae986b39b2107
SHA512

aa5ee27c3f3b55beefdda9103b9b548af9f04b41535b9e74379c3c8ed5904519766de4321a995047a63d958dafc20f82607b09678cf09f1b24ca29bec5facb0c

Score

10^/10

zloader nut 27/11 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

27/11

C2

https://hac3r.com/wp-punch.php

https://womtools.com/wp-punch.php

https://valitec.co/wp-punch.php

https://empresascreciendobien.com/server.php

https://smartat.co/error.php

https://teamearenttopdiaty.ga/wp-smarts.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blacklisted process makes network request 6 IoCs

Processes:

msiexec.exe

flow pid process

7 1704 msiexec.exe
9 1704 msiexec.exe
11 1704 msiexec.exe
13 1704 msiexec.exe
15 1704 msiexec.exe
17 1704 msiexec.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1844 set thread context of 1704 1844 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1704 msiexec.exe
Token: SeSecurityPrivilege 1704 msiexec.exe

flow	pid	process
7	1704	msiexec.exe
9	1704	msiexec.exe
11	1704	msiexec.exe
13	1704	msiexec.exe
15	1704	msiexec.exe
17	1704	msiexec.exe

description	pid	process	target process
PID 1844 set thread context of 1704	1844	regsvr32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1704	msiexec.exe
Token: SeSecurityPrivilege	1704	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1036 wrote to memory of 1844	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1844	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1844	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1844	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1844	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1844	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1844	1036	regsvr32.exe	regsvr32.exe
PID 1844 wrote to memory of 1704	1844	regsvr32.exe	msiexec.exe
PID 1844 wrote to memory of 1704	1844	regsvr32.exe	msiexec.exe
PID 1844 wrote to memory of 1704	1844	regsvr32.exe	msiexec.exe
PID 1844 wrote to memory of 1704	1844	regsvr32.exe	msiexec.exe
PID 1844 wrote to memory of 1704	1844	regsvr32.exe	msiexec.exe
PID 1844 wrote to memory of 1704	1844	regsvr32.exe	msiexec.exe
PID 1844 wrote to memory of 1704	1844	regsvr32.exe	msiexec.exe
PID 1844 wrote to memory of 1704	1844	regsvr32.exe	msiexec.exe
PID 1844 wrote to memory of 1704	1844	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\XRqW4.exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\XRqW4.exe.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-7-0x000007FEF7880000-0x000007FEF7AFA000-memory.dmp

Filesize
2.5MB

Download
memory/1704-3-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download
memory/1704-4-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1704-5-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download
memory/1704-6-0x0000000000000000-mapping.dmp

Download
memory/1844-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing