zloader | 9081546b7e05805a5496bfcee49b3c736cb55b49e467529c7d7ac60781b29880

General

Target

n1.bin.exe
Size

282KB
MD5

3b0c5d532922be20ae151490e7109c60
SHA1

4c3ba395594a5117d468084330902739ca08de0e
SHA256

9081546b7e05805a5496bfcee49b3c736cb55b49e467529c7d7ac60781b29880
SHA512

6a724591ee57cbc2ce9351ac556e666040f8ba6bcd37112b960a4fc0a16b493a7b94b0e70f9efe1a1d53597ec8a0a5ef08bbfc91ef4ace776f1df0f8c1555f4e

Score

10^/10

zloader r2 r2 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

r2

Campaign

r2

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

n1.bin.exe

description pid process target process

PID 1048 created 1216 1048 n1.bin.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process	target process
PID 1048 created 1216	1048	n1.bin.exe	Explorer.EXE

Blocklisted process makes network request 57 IoCs

Processes:

msiexec.exe

flow	pid	process
6	1520	msiexec.exe
7	1520	msiexec.exe
8	1520	msiexec.exe
9	1520	msiexec.exe
10	1520	msiexec.exe
11	1520	msiexec.exe
12	1520	msiexec.exe
13	1520	msiexec.exe
14	1520	msiexec.exe
15	1520	msiexec.exe
16	1520	msiexec.exe
17	1520	msiexec.exe
18	1520	msiexec.exe
19	1520	msiexec.exe
20	1520	msiexec.exe
21	1520	msiexec.exe
22	1520	msiexec.exe
23	1520	msiexec.exe
24	1520	msiexec.exe
25	1520	msiexec.exe
26	1520	msiexec.exe
28	1520	msiexec.exe
29	1520	msiexec.exe
30	1520	msiexec.exe
32	1520	msiexec.exe
34	1520	msiexec.exe
35	1520	msiexec.exe
36	1520	msiexec.exe
37	1520	msiexec.exe
38	1520	msiexec.exe
39	1520	msiexec.exe
41	1520	msiexec.exe
42	1520	msiexec.exe
43	1520	msiexec.exe
44	1520	msiexec.exe
45	1520	msiexec.exe
46	1520	msiexec.exe
47	1520	msiexec.exe
48	1520	msiexec.exe
49	1520	msiexec.exe
50	1520	msiexec.exe
51	1520	msiexec.exe
52	1520	msiexec.exe
53	1520	msiexec.exe
54	1520	msiexec.exe
55	1520	msiexec.exe
56	1520	msiexec.exe
57	1520	msiexec.exe
58	1520	msiexec.exe
59	1520	msiexec.exe
60	1520	msiexec.exe
61	1520	msiexec.exe
62	1520	msiexec.exe
63	1520	msiexec.exe
64	1520	msiexec.exe
66	1520	msiexec.exe
67	1520	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

n1.bin.exe

description pid process target process

PID 1048 set thread context of 1520 1048 n1.bin.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

n1.bin.exe

pid process

1048 n1.bin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

n1.bin.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1048 n1.bin.exe
Token: SeSecurityPrivilege 1520 msiexec.exe
Token: SeSecurityPrivilege 1520 msiexec.exe

description	pid	process	target process
PID 1048 set thread context of 1520	1048	n1.bin.exe	msiexec.exe

pid	process
1048	n1.bin.exe

description	pid	process
Token: SeDebugPrivilege	1048	n1.bin.exe
Token: SeSecurityPrivilege	1520	msiexec.exe
Token: SeSecurityPrivilege	1520	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

n1.bin.exe

description	pid	process	target process
PID 1048 wrote to memory of 1520	1048	n1.bin.exe	msiexec.exe
PID 1048 wrote to memory of 1520	1048	n1.bin.exe	msiexec.exe
PID 1048 wrote to memory of 1520	1048	n1.bin.exe	msiexec.exe
PID 1048 wrote to memory of 1520	1048	n1.bin.exe	msiexec.exe
PID 1048 wrote to memory of 1520	1048	n1.bin.exe	msiexec.exe
PID 1048 wrote to memory of 1520	1048	n1.bin.exe	msiexec.exe
PID 1048 wrote to memory of 1520	1048	n1.bin.exe	msiexec.exe
PID 1048 wrote to memory of 1520	1048	n1.bin.exe	msiexec.exe
PID 1048 wrote to memory of 1520	1048	n1.bin.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\n1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\n1.bin.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-2-0x0000000000CF9000-0x0000000000CFA000-memory.dmp

Filesize
4KB

Download
memory/1048-3-0x0000000002690000-0x00000000026A1000-memory.dmp

Filesize
68KB

Download
memory/1048-4-0x0000000002690000-0x00000000026A1000-memory.dmp

Filesize
68KB

Download
memory/1520-7-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1520-8-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1520-9-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1520-10-0x0000000000000000-mapping.dmp

Download
memory/1728-11-0x000007FEF5F20000-0x000007FEF619A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing