Overview

overview

10

Static

static

10

e4d0a79d24...4a.dll

windows7_x64

10

e4d0a79d24...4a.dll

windows10_x64

10

Resubmissions

23-03-2021 23:39

210323-gwmsg5pk56 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    23-03-2021 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a.dll

  • Size

    187KB

  • MD5

    6a900d6f8af3a1a0e31ca5bb63637d03

  • SHA1

    221ab3d8ab16a0a7790026aab9b26904be6db436

  • SHA256

    e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a

  • SHA512

    7565f88ae40d6ab1953fc018694154846f8ab98410239947ad5101686cbb9a59032858cb12218e89e27715d1d77a8b941141137886e241924a8f3801999661a8

Score
10/10
zloaderapr14spambotnettrojan

Malware Config

Extracted

Family

zloader

Botnet

Apr14

Campaign

Spam

C2

http://wmwifbajxxbcxmucxmlc.com/post.php

http://ojnxjgfjlftfkkuxxiqd.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php
rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/332-8-0x000007FEF8040000-0x000007FEF82BA000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/836-4-0x0000000075711000-0x0000000075713000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1096-2-0x000007FEFC4C1000-0x000007FEFC4C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1676-7-0x0000000000090000-0x00000000000C4000-memory.dmp

    Filesize

    208KB

    Download