Overview

overview

10

Static

static

rVuj5bF.bin.dll

windows7_x64

10

rVuj5bF.bin.dll

windows10_x64

10

Resubmissions

05-03-2021 05:53

210305-jqn2paptcs 10

24-06-2020 14:54

200624-4a9fpsftlx 10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-03-2021 05:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rVuj5bF.bin.dll

  • Size

    403KB

  • MD5

    4e9d3907d80cfe903df735b855d5eaeb

  • SHA1

    3fcc74d0b646e8324f0a4cf4708890a8261f3e84

  • SHA256

    280fedf6fd7e0964222ac9b21bcc289c222c7ea91d7bad6350741bdf8c1f0938

  • SHA512

    672b8b0dd776ff156504e55c171fe035e5aac7b1b48ae785973113648717317eb611acbcc6141c5ab6c0096c4f41c24c335d957afbca1fddcf15dfde9750361f

Score
10/10
zloaderminik18/06botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

minik

Campaign

18/06

C2

https://neomithirdseman.tk/wp-parsing.php

https://fernmasucsavidi.cf/wp-parsing.php

https://wireborg.com/wp-parsing.php

https://secretele-naturii.xyz/wp-parsing.php

https://legendcoder.com/wp-parsing.php
rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\rVuj5bF.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\rVuj5bF.bin.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:1552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/520-9-0x000007FEF7300000-0x000007FEF757A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1552-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1552-8-0x0000000000090000-0x00000000000BB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1808-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1808-3-0x0000000076241000-0x0000000076243000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1808-4-0x0000000072880000-0x00000000728AB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1808-5-0x0000000000140000-0x0000000000141000-memory.dmp
    Filesize

    4KB

    Download