zloader | 61be79c9e47ad894006907c544c0a2d606d8d69c95298ffc5861f20c4b87769e

General

Target

xiNGRHX.txt.dll
Size

688KB
MD5

bb4d1959e6a7850a556ebadf69d18508
SHA1

c4a940aa768e97da36393a899775ff7172f66274
SHA256

61be79c9e47ad894006907c544c0a2d606d8d69c95298ffc5861f20c4b87769e
SHA512

57c6e278ca830b5d20ab0d6a442cfca2265abffa5f46f40c4551e22a0acafef0b0a9fe06b08848bc58dfd5e7e5327ccc4c684edb60204cbcc5a839a9bbbe0a0d

Score

10^/10

zloader nut 24/03 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

24/03

C2

https://electrabeautytools.com/post.php

https://elexitodelonatural.com/post.php

https://elmaaref.com/post.php

https://enrichuae.com/post.php

https://www.epsilon-me.com/post.php

https://codilmeosoterti.tk/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

Processes:

msiexec.exe

flow	pid	process
7	656	msiexec.exe
8	656	msiexec.exe
9	656	msiexec.exe
10	656	msiexec.exe
11	656	msiexec.exe
12	656	msiexec.exe
13	656	msiexec.exe
14	656	msiexec.exe
15	656	msiexec.exe
16	656	msiexec.exe
17	656	msiexec.exe
18	656	msiexec.exe
19	656	msiexec.exe
20	656	msiexec.exe
21	656	msiexec.exe
22	656	msiexec.exe
23	656	msiexec.exe
24	656	msiexec.exe
25	656	msiexec.exe
26	656	msiexec.exe
27	656	msiexec.exe
29	656	msiexec.exe
30	656	msiexec.exe
31	656	msiexec.exe
33	656	msiexec.exe
34	656	msiexec.exe
35	656	msiexec.exe
36	656	msiexec.exe
37	656	msiexec.exe
38	656	msiexec.exe
39	656	msiexec.exe
40	656	msiexec.exe
41	656	msiexec.exe
42	656	msiexec.exe
43	656	msiexec.exe
44	656	msiexec.exe
45	656	msiexec.exe
46	656	msiexec.exe
47	656	msiexec.exe
48	656	msiexec.exe
49	656	msiexec.exe
50	656	msiexec.exe
51	656	msiexec.exe
52	656	msiexec.exe
53	656	msiexec.exe
55	656	msiexec.exe
56	656	msiexec.exe
57	656	msiexec.exe
59	656	msiexec.exe
60	656	msiexec.exe
61	656	msiexec.exe
62	656	msiexec.exe
63	656	msiexec.exe
64	656	msiexec.exe
65	656	msiexec.exe
66	656	msiexec.exe
67	656	msiexec.exe
68	656	msiexec.exe
69	656	msiexec.exe
70	656	msiexec.exe
71	656	msiexec.exe
72	656	msiexec.exe
73	656	msiexec.exe
74	656	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1408 set thread context of 656 1408 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 656 msiexec.exe
Token: SeSecurityPrivilege 656 msiexec.exe

description	pid	process	target process
PID 1408 set thread context of 656	1408	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	656	msiexec.exe
Token: SeSecurityPrivilege	656	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1864 wrote to memory of 1408	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1408	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1408	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1408	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1408	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1408	1864	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 1408	1864	rundll32.exe	rundll32.exe
PID 1408 wrote to memory of 656	1408	rundll32.exe	msiexec.exe
PID 1408 wrote to memory of 656	1408	rundll32.exe	msiexec.exe
PID 1408 wrote to memory of 656	1408	rundll32.exe	msiexec.exe
PID 1408 wrote to memory of 656	1408	rundll32.exe	msiexec.exe
PID 1408 wrote to memory of 656	1408	rundll32.exe	msiexec.exe
PID 1408 wrote to memory of 656	1408	rundll32.exe	msiexec.exe
PID 1408 wrote to memory of 656	1408	rundll32.exe	msiexec.exe
PID 1408 wrote to memory of 656	1408	rundll32.exe	msiexec.exe
PID 1408 wrote to memory of 656	1408	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\xiNGRHX.txt.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\xiNGRHX.txt.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-6-0x0000000000000000-mapping.dmp

Download
memory/656-8-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download
memory/1408-2-0x0000000000000000-mapping.dmp

Download
memory/1408-3-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1408-4-0x0000000000850000-0x000000000087B000-memory.dmp

Filesize
172KB

Download
memory/1408-5-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1596-9-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing