zloader | 965e8a6c0b646352406ea5deb665a38606670c9163e12af2684dba436ae9fff3

General

Target

360000.dll
Size

150KB
MD5

b2dc3a104d18f1a899d67fcd69fc0c5b
SHA1

b5306f3e9d4a86d518cd4433a1eae65151775384
SHA256

965e8a6c0b646352406ea5deb665a38606670c9163e12af2684dba436ae9fff3
SHA512

d6d2f900a6095a895894bc50074bc2dde40aafd304f1e3078958d721b373f525201e979162ce64e81dce256779162c1a853dfc6909af47b4304da5daa1cc042b

Score

10^/10

zloader nut 22/03 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

22/03

C2

https://svilapp.svgipsar.org/post.php

https://nadar-gis.com/post.php

https://crearqarquitectos.com/post.php

https://crown-sign.com/post.php

https://dainikjahan.com/post.php

https://denatureedutech.com/post.php

https://alekllemtilaro.tk/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

Processes:

msiexec.exe

flow	pid	process
6	1724	msiexec.exe
7	1724	msiexec.exe
8	1724	msiexec.exe
9	1724	msiexec.exe
10	1724	msiexec.exe
11	1724	msiexec.exe
12	1724	msiexec.exe
13	1724	msiexec.exe
14	1724	msiexec.exe
15	1724	msiexec.exe
16	1724	msiexec.exe
17	1724	msiexec.exe
18	1724	msiexec.exe
19	1724	msiexec.exe
20	1724	msiexec.exe
21	1724	msiexec.exe
22	1724	msiexec.exe
23	1724	msiexec.exe
24	1724	msiexec.exe
25	1724	msiexec.exe
26	1724	msiexec.exe
28	1724	msiexec.exe
29	1724	msiexec.exe
30	1724	msiexec.exe
32	1724	msiexec.exe
34	1724	msiexec.exe
36	1724	msiexec.exe
38	1724	msiexec.exe
40	1724	msiexec.exe
42	1724	msiexec.exe
44	1724	msiexec.exe
45	1724	msiexec.exe
46	1724	msiexec.exe
47	1724	msiexec.exe
48	1724	msiexec.exe
49	1724	msiexec.exe
50	1724	msiexec.exe
51	1724	msiexec.exe
52	1724	msiexec.exe
53	1724	msiexec.exe
54	1724	msiexec.exe
55	1724	msiexec.exe
56	1724	msiexec.exe
57	1724	msiexec.exe
58	1724	msiexec.exe
59	1724	msiexec.exe
60	1724	msiexec.exe
61	1724	msiexec.exe
62	1724	msiexec.exe
63	1724	msiexec.exe
64	1724	msiexec.exe
65	1724	msiexec.exe
66	1724	msiexec.exe
67	1724	msiexec.exe
68	1724	msiexec.exe
69	1724	msiexec.exe
70	1724	msiexec.exe
71	1724	msiexec.exe
72	1724	msiexec.exe
73	1724	msiexec.exe
74	1724	msiexec.exe
106	1724	msiexec.exe
131	1724	msiexec.exe
132	1724	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2036 set thread context of 1724 2036 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1724 msiexec.exe
Token: SeSecurityPrivilege 1724 msiexec.exe

description	pid	process	target process
PID 2036 set thread context of 1724	2036	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1724	msiexec.exe
Token: SeSecurityPrivilege	1724	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1856 wrote to memory of 2036	1856	rundll32.exe	rundll32.exe
PID 1856 wrote to memory of 2036	1856	rundll32.exe	rundll32.exe
PID 1856 wrote to memory of 2036	1856	rundll32.exe	rundll32.exe
PID 1856 wrote to memory of 2036	1856	rundll32.exe	rundll32.exe
PID 1856 wrote to memory of 2036	1856	rundll32.exe	rundll32.exe
PID 1856 wrote to memory of 2036	1856	rundll32.exe	rundll32.exe
PID 1856 wrote to memory of 2036	1856	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1724	2036	rundll32.exe	msiexec.exe
PID 2036 wrote to memory of 1724	2036	rundll32.exe	msiexec.exe
PID 2036 wrote to memory of 1724	2036	rundll32.exe	msiexec.exe
PID 2036 wrote to memory of 1724	2036	rundll32.exe	msiexec.exe
PID 2036 wrote to memory of 1724	2036	rundll32.exe	msiexec.exe
PID 2036 wrote to memory of 1724	2036	rundll32.exe	msiexec.exe
PID 2036 wrote to memory of 1724	2036	rundll32.exe	msiexec.exe
PID 2036 wrote to memory of 1724	2036	rundll32.exe	msiexec.exe
PID 2036 wrote to memory of 1724	2036	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\360000.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\360000.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/672-7-0x000007FEF7F70000-0x000007FEF81EA000-memory.dmp

Filesize
2.5MB

Download
memory/1724-4-0x0000000000000000-mapping.dmp

Download
memory/1724-6-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download
memory/2036-2-0x0000000000000000-mapping.dmp

Download
memory/2036-3-0x00000000767E1000-0x00000000767E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing