zloader | 965e8a6c0b646352406ea5deb665a38606670c9163e12af2684dba436ae9fff3

General

Target

360000.dll
Size

150KB
MD5

b2dc3a104d18f1a899d67fcd69fc0c5b
SHA1

b5306f3e9d4a86d518cd4433a1eae65151775384
SHA256

965e8a6c0b646352406ea5deb665a38606670c9163e12af2684dba436ae9fff3
SHA512

d6d2f900a6095a895894bc50074bc2dde40aafd304f1e3078958d721b373f525201e979162ce64e81dce256779162c1a853dfc6909af47b4304da5daa1cc042b

Score

10^/10

zloader nut 22/03 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

22/03

C2

https://svilapp.svgipsar.org/post.php

https://nadar-gis.com/post.php

https://crearqarquitectos.com/post.php

https://crown-sign.com/post.php

https://dainikjahan.com/post.php

https://denatureedutech.com/post.php

https://alekllemtilaro.tk/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 31 IoCs

Processes:

msiexec.exe

flow	pid	process
7	1364	msiexec.exe
8	1364	msiexec.exe
9	1364	msiexec.exe
10	1364	msiexec.exe
11	1364	msiexec.exe
12	1364	msiexec.exe
13	1364	msiexec.exe
14	1364	msiexec.exe
15	1364	msiexec.exe
16	1364	msiexec.exe
17	1364	msiexec.exe
18	1364	msiexec.exe
19	1364	msiexec.exe
20	1364	msiexec.exe
21	1364	msiexec.exe
22	1364	msiexec.exe
23	1364	msiexec.exe
24	1364	msiexec.exe
25	1364	msiexec.exe
26	1364	msiexec.exe
27	1364	msiexec.exe
29	1364	msiexec.exe
30	1364	msiexec.exe
31	1364	msiexec.exe
33	1364	msiexec.exe
35	1364	msiexec.exe
37	1364	msiexec.exe
39	1364	msiexec.exe
41	1364	msiexec.exe
43	1364	msiexec.exe
45	1364	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1088 set thread context of 1364 1088 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1364 msiexec.exe
Token: SeSecurityPrivilege 1364 msiexec.exe

description	pid	process	target process
PID 1088 set thread context of 1364	1088	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1364	msiexec.exe
Token: SeSecurityPrivilege	1364	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1108 wrote to memory of 1088	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1088	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1088	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1088	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1088	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1088	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1088	1108	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1364	1088	rundll32.exe	msiexec.exe
PID 1088 wrote to memory of 1364	1088	rundll32.exe	msiexec.exe
PID 1088 wrote to memory of 1364	1088	rundll32.exe	msiexec.exe
PID 1088 wrote to memory of 1364	1088	rundll32.exe	msiexec.exe
PID 1088 wrote to memory of 1364	1088	rundll32.exe	msiexec.exe
PID 1088 wrote to memory of 1364	1088	rundll32.exe	msiexec.exe
PID 1088 wrote to memory of 1364	1088	rundll32.exe	msiexec.exe
PID 1088 wrote to memory of 1364	1088	rundll32.exe	msiexec.exe
PID 1088 wrote to memory of 1364	1088	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\360000.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\360000.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:1364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-7-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download
memory/1088-2-0x0000000000000000-mapping.dmp

Download
memory/1088-3-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1364-4-0x0000000000000000-mapping.dmp

Download
memory/1364-6-0x0000000000130000-0x000000000015B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing