zloader | 7a0e70c85d65c95a7c98a7f14eaaa9b9f59795add4abb6a09ff2d75fbf947e80

General

Target

server.dll
Size

336KB
MD5

f6f15b210088e340c2f223ffb6894d12
SHA1

9edb31c56cc8befe1e41924f53cb96f9962c2328
SHA256

7a0e70c85d65c95a7c98a7f14eaaa9b9f59795add4abb6a09ff2d75fbf947e80
SHA512

b5b20f1e8f943bef8777b94c88d85a535c27563821bd62f68dace9b5e4842246a21eab33aa52f33eeb218bb098bc2197fc92eba058744834414879b22e360d53

Score

10^/10

zloader nut 01/03 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

01/03

C2

https://bentalks.co.ke/post.php

https://karhandlafarm.com/post.php

https://www.moinamakeup.com/post.php

https://miramaminerals.com/post.php

https://fermin.pe/post.php

https://talk2point.com/post.php

https://enpikilenlya.gq/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

Processes:

msiexec.exe

flow	pid	process
7	1728	msiexec.exe
8	1728	msiexec.exe
9	1728	msiexec.exe
10	1728	msiexec.exe
11	1728	msiexec.exe
12	1728	msiexec.exe
13	1728	msiexec.exe
14	1728	msiexec.exe
15	1728	msiexec.exe
16	1728	msiexec.exe
17	1728	msiexec.exe
18	1728	msiexec.exe
19	1728	msiexec.exe
20	1728	msiexec.exe
21	1728	msiexec.exe
22	1728	msiexec.exe
23	1728	msiexec.exe
24	1728	msiexec.exe
25	1728	msiexec.exe
26	1728	msiexec.exe
27	1728	msiexec.exe
29	1728	msiexec.exe
30	1728	msiexec.exe
31	1728	msiexec.exe
33	1728	msiexec.exe
34	1728	msiexec.exe
35	1728	msiexec.exe
36	1728	msiexec.exe
37	1728	msiexec.exe
38	1728	msiexec.exe
39	1728	msiexec.exe
40	1728	msiexec.exe
41	1728	msiexec.exe
42	1728	msiexec.exe
43	1728	msiexec.exe
44	1728	msiexec.exe
45	1728	msiexec.exe
46	1728	msiexec.exe
47	1728	msiexec.exe
48	1728	msiexec.exe
49	1728	msiexec.exe
50	1728	msiexec.exe
51	1728	msiexec.exe
52	1728	msiexec.exe
53	1728	msiexec.exe
55	1728	msiexec.exe
56	1728	msiexec.exe
57	1728	msiexec.exe
59	1728	msiexec.exe
60	1728	msiexec.exe
61	1728	msiexec.exe
62	1728	msiexec.exe
63	1728	msiexec.exe
64	1728	msiexec.exe
65	1728	msiexec.exe
66	1728	msiexec.exe
67	1728	msiexec.exe
68	1728	msiexec.exe
69	1728	msiexec.exe
70	1728	msiexec.exe
71	1728	msiexec.exe
72	1728	msiexec.exe
73	1728	msiexec.exe
74	1728	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 2000 set thread context of 1728 2000 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1728 msiexec.exe
Token: SeSecurityPrivilege 1728 msiexec.exe

description	pid	process	target process
PID 2000 set thread context of 1728	2000	regsvr32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1728	msiexec.exe
Token: SeSecurityPrivilege	1728	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1088 wrote to memory of 2000	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 2000	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 2000	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 2000	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 2000	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 2000	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 2000	1088	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 1728	2000	regsvr32.exe	msiexec.exe
PID 2000 wrote to memory of 1728	2000	regsvr32.exe	msiexec.exe
PID 2000 wrote to memory of 1728	2000	regsvr32.exe	msiexec.exe
PID 2000 wrote to memory of 1728	2000	regsvr32.exe	msiexec.exe
PID 2000 wrote to memory of 1728	2000	regsvr32.exe	msiexec.exe
PID 2000 wrote to memory of 1728	2000	regsvr32.exe	msiexec.exe
PID 2000 wrote to memory of 1728	2000	regsvr32.exe	msiexec.exe
PID 2000 wrote to memory of 1728	2000	regsvr32.exe	msiexec.exe
PID 2000 wrote to memory of 1728	2000	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\server.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\server.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-2-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/1284-10-0x000007FEF7900000-0x000007FEF7B7A000-memory.dmp

Filesize
2.5MB

Download
memory/1728-7-0x0000000000000000-mapping.dmp

Download
memory/1728-9-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2000-3-0x0000000000000000-mapping.dmp

Download
memory/2000-4-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/2000-5-0x0000000074830000-0x0000000074859000-memory.dmp

Filesize
164KB

Download
memory/2000-6-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing