Overview

overview

10

Static

static

microsoft_...mp.dll

windows7_x64

10

microsoft_...mp.dll

windows10_x64

1

Analysis

  • max time kernel
    43s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-03-2021 09:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    microsoft_shared.tmp.dll

  • Size

    686KB

  • MD5

    7a75045c4c927433aa7258833355c403

  • SHA1

    c9fb3583b403cc8ed0186971ee300629fd91525f

  • SHA256

    eb12afe158fd7f4236a98c7c6b686dfe9838c3d986c28b593a54303c68534661

  • SHA512

    e1ef63423f04f0047a89b72537aa6d0068e842304e69146e766e83a7b261025765944858d699480f66d38655c4fa5e20b04e96fff9a0397f27db92016cb2c02b

Score
10/10
zloaderpersonalpersonalbotnettrojan

Malware Config

Extracted

Family

zloader

Botnet

personal

Campaign

personal

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php
rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\microsoft_shared.tmp.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\microsoft_shared.tmp.dll
      2⤵
        PID:2024
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe
          3⤵
            PID:240

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/240-7-0x0000000000000000-mapping.dmp

        Download

      • memory/240-9-0x0000000000090000-0x00000000000B6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1056-2-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1072-10-0x000007FEF71F0000-0x000007FEF746A000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/2024-3-0x0000000000000000-mapping.dmp

        Download

      • memory/2024-4-0x0000000075A61000-0x0000000075A63000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2024-5-0x0000000000180000-0x0000000000181000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2024-6-0x0000000000830000-0x00000000008DF000-memory.dmp

        Filesize

        700KB

        Download