zloader | 43f51f954f960ebc76a869e1e398f43b2b936d9f833a6b16c0ab738879af2af2

General

Target

3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll
Size

133KB
MD5

6d72546fbb7cae443a46d6a744760f7e
SHA1

c4d715bd92f12d54c2a77e5c1ac1ef1a2d1957f5
SHA256

3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d
SHA512

616e77a5a3e575d04229ecf6b7419c5886e1b2a9e38ba117debb4c97a3bce0b0ad75d9e9da46b747cee62cfa5a016bfc55a1d80aad2db137f7c1f176c4169f69

Score

10^/10

zloader nut 04/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

04/02

C2

https://vidhyashram.edu.in/post.php

https://carmeta-ampuh.com/post.php

https://bestarticleblog.com/post.php

https://alahsateam.com/post.php

https://pyggroup.com.pe/post.php

https://perlisisacsiograv.tk/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 54 IoCs

Processes:

msiexec.exe

flow	pid	process
7	1692	msiexec.exe
8	1692	msiexec.exe
9	1692	msiexec.exe
10	1692	msiexec.exe
11	1692	msiexec.exe
12	1692	msiexec.exe
13	1692	msiexec.exe
14	1692	msiexec.exe
15	1692	msiexec.exe
16	1692	msiexec.exe
17	1692	msiexec.exe
18	1692	msiexec.exe
19	1692	msiexec.exe
20	1692	msiexec.exe
21	1692	msiexec.exe
22	1692	msiexec.exe
23	1692	msiexec.exe
24	1692	msiexec.exe
25	1692	msiexec.exe
26	1692	msiexec.exe
27	1692	msiexec.exe
29	1692	msiexec.exe
30	1692	msiexec.exe
31	1692	msiexec.exe
33	1692	msiexec.exe
35	1692	msiexec.exe
39	1692	msiexec.exe
40	1692	msiexec.exe
42	1692	msiexec.exe
44	1692	msiexec.exe
45	1692	msiexec.exe
46	1692	msiexec.exe
47	1692	msiexec.exe
48	1692	msiexec.exe
49	1692	msiexec.exe
50	1692	msiexec.exe
51	1692	msiexec.exe
52	1692	msiexec.exe
53	1692	msiexec.exe
54	1692	msiexec.exe
55	1692	msiexec.exe
56	1692	msiexec.exe
57	1692	msiexec.exe
58	1692	msiexec.exe
59	1692	msiexec.exe
60	1692	msiexec.exe
61	1692	msiexec.exe
62	1692	msiexec.exe
63	1692	msiexec.exe
64	1692	msiexec.exe
66	1692	msiexec.exe
67	1692	msiexec.exe
68	1692	msiexec.exe
70	1692	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1428 set thread context of 1692 1428 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1692 msiexec.exe
Token: SeSecurityPrivilege 1692 msiexec.exe

description	pid	process	target process
PID 1428 set thread context of 1692	1428	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1692	msiexec.exe
Token: SeSecurityPrivilege	1692	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1944 wrote to memory of 1428	1944	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 1428	1944	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 1428	1944	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 1428	1944	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 1428	1944	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 1428	1944	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 1428	1944	rundll32.exe	rundll32.exe
PID 1428 wrote to memory of 1692	1428	rundll32.exe	msiexec.exe
PID 1428 wrote to memory of 1692	1428	rundll32.exe	msiexec.exe
PID 1428 wrote to memory of 1692	1428	rundll32.exe	msiexec.exe
PID 1428 wrote to memory of 1692	1428	rundll32.exe	msiexec.exe
PID 1428 wrote to memory of 1692	1428	rundll32.exe	msiexec.exe
PID 1428 wrote to memory of 1692	1428	rundll32.exe	msiexec.exe
PID 1428 wrote to memory of 1692	1428	rundll32.exe	msiexec.exe
PID 1428 wrote to memory of 1692	1428	rundll32.exe	msiexec.exe
PID 1428 wrote to memory of 1692	1428	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1428-2-0x0000000000000000-mapping.dmp

Download
memory/1428-3-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1672-7-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download
memory/1692-4-0x0000000000000000-mapping.dmp

Download
memory/1692-6-0x00000000000B0000-0x00000000000D6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing