Overview

overview

10

Static

static

URLScan

urlscan

Kiki

windows7_x64

10

Resubmissions

24-03-2021 22:59

210324-ek4w44q4b2 1

16-03-2021 10:19

210316-1ad7ax3a3a 10

Analysis

  • max time kernel
    40s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    16-03-2021 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://voland.link/XgHcsrfsm?cost=0.002&currency=USD&external_id=210316043550f299aa48d24b95b3594e0000&ad_campaign_id=1735701&source=clickadu&sub_id_1=1711301

  • Sample

    210316-1ad7ax3a3a

Score
10/10
zloadergoogleaktualizacijagoogleaktualizacija2botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

googleaktualizacija

Campaign

googleaktualizacija2

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php
rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Loads dropped DLL 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://voland.link/XgHcsrfsm?cost=0.002&currency=USD&external_id=210316043550f299aa48d24b95b3594e0000&ad_campaign_id=1735701&source=clickadu&sub_id_1=1711301
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\259302038.exe"
        3⤵
        • Loads dropped DLL
        PID:620
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe
          4⤵
            PID:1692
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:340994 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:300

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      fc9f4bcd8e3e8be7a86e0b4cc17bf230

      SHA1

      8583c9c8f287fc9daf6e3899ddebff92f9e72d49

      SHA256

      7e40236f7af32e99643e8e1a79511487f8aef5bc17e559f450316ec16ab60f5c

      SHA512

      8e58c768d30c4353c3fdeda24c1045c90899c7b50cb9b00de05d29435006dad97bd473181ec27ee6686c1ae42792d712bb693e69474030d9198141e4e52beebf

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7iy1jn\imagestore.dat
      MD5

      256b4bdc5e16af285ba69b119397b764

      SHA1

      f09ebec409eb7b8d8595ae2c8ae2759e4c9053a8

      SHA256

      c8251c3f4318abbbd0ea81d02c84e58ae54eb8f5e2504f6148b6605ef6c4be3c

      SHA512

      ca0f6a0de01859e769fc9ce61d9cfd7a4414c974d85a598b9a84ce8aef2e4ca460de59ec74ab5edb93d61de5869999332a8d73b7c74d11c6a73627bc5c496f24

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\b1695k2h0hjd[1].htm
      MD5

      28be85a8360ac7487b0b986f92b73a2b

      SHA1

      0a137849dc08ca26d75ff8539edf49608cc3e484

      SHA256

      c960fcb402381064ae191e1c323c4c5989046b4b753db0297e3ea3e855f98355

      SHA512

      07ef6d16e73f9120389b2762418ceebdb3df8f9ed9b8153430ec22cbd7624b64bebce3ee3469e12cba1c856fcb8077ace0bb2e3d2cb2ef45e64c3ecdb2ad9c09

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\259302038.exe
      MD5

      c91aa7c80fa2e6fbf094040caeabca14

      SHA1

      aaa87f6e2b6f923df5aa4b92ebe70bb744d1f311

      SHA256

      e5af4868fc46a5a675d9e93c4e45b9fef7043fe2263ad0bd9469082c00d74139

      SHA512

      10bef80585a6ca2cf32c3a526aeca4072d108c8c488a5b5e9744a487cdfc48a1f3ce5935e33f7ae5b0d961e2b291c0c79c882df3f1a64f54c4adb6d49b1e1ac1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4H0BPTQE.txt
      MD5

      2753ceb52df774b2d3e6fe66c5f84824

      SHA1

      0c97f29303b4caf0ec34f46a1ef26509d081be17

      SHA256

      b6f636fc7ce47802312970b005486873915988f191045fe6d18a5a79dedebab2

      SHA512

      88e1d13c7a57b0c3b085251f70d9b43391671f3259cffa1e79ce231cbb96daf5848625f234c3b53696e90d4364fee6566dfadd2e2b538ae22a5bf051647df4b2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LWURR8T2.txt
      MD5

      aaebd5227b1dbff93827b7b1a6108825

      SHA1

      dedd6354d2643ab5cc4037bd7e076c7b054af55a

      SHA256

      d97c24eca9c840dd70c0c8f94f05e0dbabc282fead30e96613d3092308ed9525

      SHA512

      e5967cef4a7ace44c493dc07925c89d275eb71f742939a46caf90ccfb7b5db7c2c86f96c1a442e0f6755b64f7da42cb0f1124ed35a35e45e164e742eac4550ca

      Download Submit
    • \Users\Admin\AppData\Local\Temp\259302038.exe
      MD5

      c91aa7c80fa2e6fbf094040caeabca14

      SHA1

      aaa87f6e2b6f923df5aa4b92ebe70bb744d1f311

      SHA256

      e5af4868fc46a5a675d9e93c4e45b9fef7043fe2263ad0bd9469082c00d74139

      SHA512

      10bef80585a6ca2cf32c3a526aeca4072d108c8c488a5b5e9744a487cdfc48a1f3ce5935e33f7ae5b0d961e2b291c0c79c882df3f1a64f54c4adb6d49b1e1ac1

      Download Submit
    • memory/300-7-0x0000000000000000-mapping.dmp
      Download
    • memory/620-6-0x00000000767E1000-0x00000000767E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/620-13-0x0000000000170000-0x0000000000171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/620-14-0x0000000000221000-0x000000000023D000-memory.dmp
      Filesize

      112KB

      Download
    • memory/620-15-0x0000000000220000-0x00000000002B0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/620-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1116-4-0x0000000000000000-mapping.dmp
      Download
    • memory/1188-3-0x000007FEF7F70000-0x000007FEF81EA000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1692-19-0x0000000000000000-mapping.dmp
      Download
    • memory/1692-21-0x00000000000D0000-0x00000000000F6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1856-2-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp
      Filesize

      8KB

      Download