Overview

overview

10

Static

static

34aa0bd4dc...e1.dll

windows7_x64

10

34aa0bd4dc...e1.dll

windows10_x64

8

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-03-2021 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1.dll

  • Size

    320KB

  • MD5

    ce8ac0e4da0c1d4406a4a17215db37cf

  • SHA1

    f2df1a5863044e5d6b4ab7d2a2b1ebee9f96d228

  • SHA256

    34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1

  • SHA512

    fcfff47b9074b9013fc00acb9b4a9aee13f820e6369e78a354a3b8d545a8ebf1560f910d6a49edff53384c6e37d61a0b075eb44c6ab89267a0a532f58fbbe7f1

Score
10/10
zloadernut27/11botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

27/11

C2

https://hac3r.com/wp-punch.php

https://womtools.com/wp-punch.php

https://valitec.co/wp-punch.php

https://empresascreciendobien.com/server.php

https://smartat.co/error.php

https://teamearenttopdiaty.ga/wp-smarts.php
rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 27 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\34aa0bd4dc61cca23b7950282df26ce2e16a339b2895add65d46e6d317a11fe1.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/800-2-0x000007FEFC321000-0x000007FEFC323000-memory.dmp
    Filesize

    8KB

    Download
  • memory/808-10-0x000007FEF7C70000-0x000007FEF7EEA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1376-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1376-9-0x0000000000090000-0x00000000000B6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1496-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1496-4-0x0000000076C21000-0x0000000076C23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1496-5-0x0000000074F80000-0x0000000074FA6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1496-6-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download