Overview

overview

10

Static

static

URLScan

urlscan

Kiki

windows7_x64

10

Analysis

  • max time kernel
    36s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-03-2021 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://voland.link/XgHcsrfsm?cost=0.002&currency=USD&external_id=21031004454cb2eb37c0864d9f84e2ae0000&ad_campaign_id=1735701&source=clickadu&sub_id_1=1711301

  • Sample

    210310-br6b22dzz6

Score
10/10
zloadergoogleaktualizacijagoogleaktualizacija2botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

googleaktualizacija

Campaign

googleaktualizacija2

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php
rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Loads dropped DLL 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://voland.link/XgHcsrfsm?cost=0.002&currency=USD&external_id=21031004454cb2eb37c0864d9f84e2ae0000&ad_campaign_id=1735701&source=clickadu&sub_id_1=1711301
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\259313020.exe"
        3⤵
        • Loads dropped DLL
        PID:528
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe
          4⤵
            PID:1292
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:340994 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1284

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      610d94d779298831dca531702438a1b0

      SHA1

      6a983013430228c6cef45ec24175b36683670d1b

      SHA256

      64ec5fe2ef9cfe1e3c3c3a4152b56c76b92f1b046e6aa719fe4c5ebacb2912a7

      SHA512

      aaaf209b74ab38a54af59f01605eafd0b9a398b3a416e17d65d333fd2f06dea1fd912f6e074571537fa3b020d7edaa546ea4c07986563745c036a5eaec8ebe9c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7iy1jn\imagestore.dat
      MD5

      eeeb0f7e6e731ed42d4fbe57691ceb1e

      SHA1

      51bff0acfd7023bbaaa588e0665dd0c47933ecf2

      SHA256

      58b15f36c3a2ee56c584aae6743b626a975c33c314b7ee54401823029b0ff937

      SHA512

      6a9859a47ee49dcf024811a50db72d0f228027db1e39680645882788bf1e45fd02e437316e3a065a7abb5dc7296a4e8a86ebd43e6833b46737bf872b5ff99a90

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\b1695k2fglqu[1].htm
      MD5

      e56926e926ae14372bbf846021a4f34e

      SHA1

      3de941e5e20ec55e6ee8e48d87d4bc5194401e3a

      SHA256

      4010f2a7826f734ec579af52a96a75e32af21c1c5cf6e38be36240d522f71a2a

      SHA512

      b916f5a321833d1b00bc980666e66e9da1a4ff28959ece447330417091d069cd69ed01919d8d54e6fccb54c7309b1c7bb0d50bddef4517bf94d783c701b3ec2a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\259313020.exe
      MD5

      7a4334c164c28530b28858559643c6b9

      SHA1

      ee3ebcb8b28702c50b0083db163ba5876f40f54c

      SHA256

      b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2

      SHA512

      e58a00c9b7b947d573632097eb056b5791b0b3d4577ff5e4635b8056076d599240e128ac948a995c2c8102b2a2d4550c0d7edbd3d684f5364c44467f64e50c45

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7T853VIE.txt
      MD5

      db8586b5bcac56f0c0495f095bbe33ff

      SHA1

      a793ae3598880d936b73b53f3eeb8f0d0080bca4

      SHA256

      8a90f9128167931175fc8aaa614ca5858d16d4f32d57527bff90ab6a42e41c0d

      SHA512

      4dca210fe3fd299e9a5fec740e49387b8a0746bb35886371cc329368a94b6f32c6114ebfcba1745023130a7be229175a6c526c0969e7ab7b7c3d25ec6ec3707f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SBK6GT8Y.txt
      MD5

      45db68dfdcf5d5b5338d0b8095727661

      SHA1

      cfc54b1b5d8c5dd8d2112dd7451268818c03f664

      SHA256

      cd01d4e534a12ea748816ab67ed4fa207463f005902a24a0b179af5f10f83ad1

      SHA512

      80c9e92e1ff1a5e10db55ef8b84447469a82db83820a41c6b7d6072af71a37c309baf39d1c971db16ea47856818995056f4d69c2c88cf0cef2e100efa56086cb

      Download Submit
    • \Users\Admin\AppData\Local\Temp\259313020.exe
      MD5

      7a4334c164c28530b28858559643c6b9

      SHA1

      ee3ebcb8b28702c50b0083db163ba5876f40f54c

      SHA256

      b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2

      SHA512

      e58a00c9b7b947d573632097eb056b5791b0b3d4577ff5e4635b8056076d599240e128ac948a995c2c8102b2a2d4550c0d7edbd3d684f5364c44467f64e50c45

      Download Submit
    • memory/528-7-0x00000000765A1000-0x00000000765A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/528-5-0x0000000000000000-mapping.dmp
      Download
    • memory/528-12-0x00000000002B0000-0x00000000002B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/528-13-0x00000000001C0000-0x000000000020F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/576-4-0x0000000000000000-mapping.dmp
      Download
    • memory/1040-3-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1284-6-0x0000000000000000-mapping.dmp
      Download
    • memory/1292-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1292-19-0x00000000000F0000-0x0000000000116000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1656-2-0x000007FEFC251000-0x000007FEFC253000-memory.dmp
      Filesize

      8KB

      Download