Analysis
-
max time kernel
40s -
max time network
106s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-12-2020 15:35
General
-
Target
a4f301e24371f819fca733a5ff62341f0455ebc14afff6fc7d1dcee736dbe9e5.zloader.dll
-
Size
367KB
-
MD5
f444b7d8129efac76e4d0fd557b2f674
-
SHA1
879270064a5b4834b3828a5cd7ed08537bc04287
-
SHA256
a4f301e24371f819fca733a5ff62341f0455ebc14afff6fc7d1dcee736dbe9e5
-
SHA512
ec46e467f1b42daa02a12b3f5403869cc3298c626beceee5b9c073d576eaa056e442fff829dac79b417d79457f3e0a8668b5aa8d50d722dca18558dce46efe28
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
nut
Campaign
08/12
C2
https://nature4health.id/wp-punch.php
https://maschuquisaca.tk/wp-punch.php
https://serproimsas.com/wp-punch.php
https://agrospas.co.rs/wp-punch.php
https://fnxcrypto.com/server.php
https://lywakelireal.ga/wp-smarts.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Blocklisted process makes network request 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4f301e24371f819fca733a5ff62341f0455ebc14afff6fc7d1dcee736dbe9e5.zloader.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4f301e24371f819fca733a5ff62341f0455ebc14afff6fc7d1dcee736dbe9e5.zloader.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1264-2-0x0000000000000000-mapping.dmp
-
memory/2176-3-0x0000000000570000-0x0000000000596000-memory.dmpFilesize
152KB
-
memory/2176-4-0x0000000000000000-mapping.dmp