zloader | 47dd6855869ea0ad0cc43dddc110eb54f1b399dedfb337a8b88dead4914ec609

General

Target

EQq5Mu9U.exe.dll
Size

440KB
MD5

7784c1f0ad355b7c60213ce7a6904653
SHA1

17743db7539bd4f95ae98b335c68a6bfc8f6c74e
SHA256

47dd6855869ea0ad0cc43dddc110eb54f1b399dedfb337a8b88dead4914ec609
SHA512

50547a2b94b04bad6b4f0b6cd9437e33c983a5beca6841b5b552de9e84c1a7d7d8c3e39c5a070632f67838deddd9a2a915e1ed29124b6678f7d4ca876f089368

Score

10^/10

zloader nut 02/12 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

02/12

C2

https://www.alhasanatbooks.com/reader.php

https://aflim.org.ng/wp-punch.php

https://sardarmohammad.com/reports.php

https://erikarabelo.com.br/server.php

https://thechapelofthehealingcross.org/java.php

https://grebcanualcwilfprofal.ml/wp-smarts.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blacklisted process makes network request 53 IoCs

Processes:

msiexec.exe

flow	pid	process
6	612	msiexec.exe
7	612	msiexec.exe
8	612	msiexec.exe
9	612	msiexec.exe
10	612	msiexec.exe
11	612	msiexec.exe
12	612	msiexec.exe
13	612	msiexec.exe
14	612	msiexec.exe
15	612	msiexec.exe
16	612	msiexec.exe
17	612	msiexec.exe
18	612	msiexec.exe
19	612	msiexec.exe
20	612	msiexec.exe
21	612	msiexec.exe
22	612	msiexec.exe
23	612	msiexec.exe
24	612	msiexec.exe
25	612	msiexec.exe
26	612	msiexec.exe
28	612	msiexec.exe
29	612	msiexec.exe
30	612	msiexec.exe
32	612	msiexec.exe
34	612	msiexec.exe
36	612	msiexec.exe
38	612	msiexec.exe
39	612	msiexec.exe
40	612	msiexec.exe
41	612	msiexec.exe
42	612	msiexec.exe
43	612	msiexec.exe
44	612	msiexec.exe
45	612	msiexec.exe
46	612	msiexec.exe
47	612	msiexec.exe
48	612	msiexec.exe
49	612	msiexec.exe
50	612	msiexec.exe
51	612	msiexec.exe
52	612	msiexec.exe
53	612	msiexec.exe
54	612	msiexec.exe
55	612	msiexec.exe
56	612	msiexec.exe
57	612	msiexec.exe
58	612	msiexec.exe
59	612	msiexec.exe
60	612	msiexec.exe
61	612	msiexec.exe
63	612	msiexec.exe
65	612	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1200 set thread context of 612 1200 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 612 msiexec.exe
Token: SeSecurityPrivilege 612 msiexec.exe

description	pid	process	target process
PID 1200 set thread context of 612	1200	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	612	msiexec.exe
Token: SeSecurityPrivilege	612	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 648 wrote to memory of 1200	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 1200	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 1200	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 1200	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 1200	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 1200	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 1200	648	rundll32.exe	rundll32.exe
PID 1200 wrote to memory of 612	1200	rundll32.exe	msiexec.exe
PID 1200 wrote to memory of 612	1200	rundll32.exe	msiexec.exe
PID 1200 wrote to memory of 612	1200	rundll32.exe	msiexec.exe
PID 1200 wrote to memory of 612	1200	rundll32.exe	msiexec.exe
PID 1200 wrote to memory of 612	1200	rundll32.exe	msiexec.exe
PID 1200 wrote to memory of 612	1200	rundll32.exe	msiexec.exe
PID 1200 wrote to memory of 612	1200	rundll32.exe	msiexec.exe
PID 1200 wrote to memory of 612	1200	rundll32.exe	msiexec.exe
PID 1200 wrote to memory of 612	1200	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\EQq5Mu9U.exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\EQq5Mu9U.exe.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-4-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/612-3-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/612-5-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/612-6-0x0000000000000000-mapping.dmp

Download
memory/1200-2-0x0000000000000000-mapping.dmp

Download
memory/1604-7-0x000007FEF6380000-0x000007FEF65FA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing