Overview

overview

10

Static

static

5e0362037e...2c.dll

windows7_x64

10

5e0362037e...2c.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    30-04-2021 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e0362037ebe9276b9a253a66c233be67bb6ceedec997e9bd0faa294091eb52c.dll

  • Size

    619KB

  • MD5

    e54803695352cd8a46fb303f6d83c4f5

  • SHA1

    246416a97b5d712495a17081456a3ceb4f6d2d2e

  • SHA256

    5e0362037ebe9276b9a253a66c233be67bb6ceedec997e9bd0faa294091eb52c

  • SHA512

    739de9da9b8755c34577801c4fa0b88a347012fc579a4ac4a4a2e6d4b1213e1ac585b1f1a9db59549693436eac6700ab57af4598ae0b3f2f8c32a86701f923fa

Score
10/10
zloadernut30/03botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

30/03

C2

https://holacast.com/post.php

https://homeloansadvisor.in/post.php

https://hoteldonalala.com.mx/post.php

https://hotimobiliaria.com.br/post.php

https://hrdgschool.com/post.php

https://huloolcreations.com/post.php

https://hyundainhatrang.vn/post.php

https://iaikotasemarang.id/post.php
rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5e0362037ebe9276b9a253a66c233be67bb6ceedec997e9bd0faa294091eb52c.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\5e0362037ebe9276b9a253a66c233be67bb6ceedec997e9bd0faa294091eb52c.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/316-66-0x0000000000000000-mapping.dmp
    Download
  • memory/316-68-0x0000000000090000-0x00000000000BB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1156-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1156-62-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1156-63-0x0000000074210000-0x000000007423B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1156-64-0x0000000074210000-0x00000000747B4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1156-65-0x0000000000180000-0x0000000000181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1756-60-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp
    Filesize

    8KB

    Download