zloader | ca4a842f5c327aa4372549fc4bf1e6f86956cfddcf423fbaadeba69fd6738c05

General

Target

311c78f93acf71a31e5c05bb20f0eef5.dll
Size

666KB
MD5

311c78f93acf71a31e5c05bb20f0eef5
SHA1

d9618042f78ad4fd5e7c9e20114badf4e0b1b7b7
SHA256

ca4a842f5c327aa4372549fc4bf1e6f86956cfddcf423fbaadeba69fd6738c05
SHA512

781b64a2da50a94c660e577aad6dd0995ca1895c6b09f32c177d30383e721586ef7f0ae2c1aec8658b89b9b9ae4f1903e39b6bc5f11d554697c64974cec2bcb9

Score

10^/10

zloader nut 13/04 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

13/04

C2

https://jiaayanu.com/post.php

https://investinszeklerland.eu/post.php

https://iqs-sac.com/post.php

https://jciems.in/post.php

https://jinnahofficersschool.com/post.php

https://kancagh.com/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 8 IoCs

Processes:

msiexec.exe

flow pid process

7 1520 msiexec.exe
8 1520 msiexec.exe
9 1520 msiexec.exe
10 1520 msiexec.exe
11 1520 msiexec.exe
12 1520 msiexec.exe
13 1520 msiexec.exe
14 1520 msiexec.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2032 set thread context of 1520 2032 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1520 msiexec.exe
Token: SeSecurityPrivilege 1520 msiexec.exe

flow	pid	process
7	1520	msiexec.exe
8	1520	msiexec.exe
9	1520	msiexec.exe
10	1520	msiexec.exe
11	1520	msiexec.exe
12	1520	msiexec.exe
13	1520	msiexec.exe
14	1520	msiexec.exe

description	pid	process	target process
PID 2032 set thread context of 1520	2032	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1520	msiexec.exe
Token: SeSecurityPrivilege	1520	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1208 wrote to memory of 2032	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 2032	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 2032	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 2032	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 2032	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 2032	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 2032	1208	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1520	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1520	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1520	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1520	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1520	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1520	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1520	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1520	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1520	2032	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\311c78f93acf71a31e5c05bb20f0eef5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\311c78f93acf71a31e5c05bb20f0eef5.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-64-0x0000000000000000-mapping.dmp

Download
memory/1520-66-0x00000000000D0000-0x00000000000FB000-memory.dmp

Filesize
172KB

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/2032-61-0x00000000747E0000-0x000000007480B000-memory.dmp

Filesize
172KB

Download
memory/2032-62-0x00000000747E0000-0x00000000748A8000-memory.dmp

Filesize
800KB

Download
memory/2032-63-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing