Overview

overview

10

Static

static

10ec4e9f67...8c.dll

windows7_x64

10

10ec4e9f67...8c.dll

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-03-2021 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c.dll

  • Size

    344KB

  • MD5

    0358fcd58c56d6cedec03b80c64ff988

  • SHA1

    34816e94bf4cc91c3c8bd6a8c087f6592ab28e96

  • SHA256

    10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c

  • SHA512

    677e4d1c61cfb19ca47c11d3fbfbc68f546ee5095e89075b76ba9c4b7b42ebe4f920ce0ff6b4174ce33fc87f97c398a757203c406413423751b8caa1d9d2248a

Score
10/10
zloadernut23/11botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

23/11

C2

https://orangeboxasia.com/wp-smarts.php

https://m3izoglass.ro/wp-smarts.php

https://bayza.ro/up_img_01.php

https://cofetariarodna.ro/errors.php

https://casapintea.ro/logs.php

https://roractaseja.ml/wp-smarts.php
rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\10ec4e9f67028d2bf9f5e42cb2918663436e21760a5f1e08950b19ac2745e48c.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:1464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/528-10-0x000007FEF6790000-0x000007FEF6A0A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/544-2-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1284-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1284-4-0x0000000076881000-0x0000000076883000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1284-5-0x0000000074BA0000-0x0000000074BC5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1284-6-0x00000000000D0000-0x00000000000D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1464-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1464-9-0x0000000000090000-0x00000000000B5000-memory.dmp
    Filesize

    148KB

    Download