zloader | 1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8

Resubmissions

10/08/2023, 17:09 UTC

230810-vn35qsfe85 10

10/08/2023, 16:29 UTC

230810-ty96csgg4t 10

07/07/2021, 20:32 UTC

210707-5mqmkk4eyx 10

Analysis

max time kernel
76s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
07/07/2021, 20:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8.dll
Size

172KB
MD5

2297dee946320ce03b8db35b1ae6462d
SHA1

5958e724e5cceca807531b2b1ea4b18a2a8698dd
SHA256

1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8
SHA512

560b1f80b5e96ae8281bbea2271476a2a38d6c55b231c4e5594d9581cf5cb0bdcfffb1cd02b4aca4249eb0e21b15ee48391c02d7170dfad410ae591243ff5188

Score

10^/10

zloader mk1 mac2 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

mk1

Campaign

mac2

https://dssdffsdf.drld/mm.php

rc4.plain

1
s4sd!@dss2QW11sdsdsa

rsa_pubkey.plain

1
-----BEGIN PUBLIC KEY-----
2
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgKAEtZZeQPOFA9R5J9Sm7pHLveKn
3
4QIBN075wJSpvZsabGqPw1R/Pyp3L1PnYGOJVQImTVYL3wY0RMJjZ553+sf/jkUu
4
50UhBmyx3auJEx6ujxLO8r+FiA/ogePerYO8sQeHszVlnDpUAC2w9lyzsy7vYrZL
5
HDToUo7JaDi7AzkHAgMBAAE=
6
-----END PUBLIC KEY-----

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 812 created 2996	812	regsvr32.exe	23

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 812 set thread context of 3376	812	regsvr32.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
812	regsvr32.exe
812	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	812	regsvr32.exe
Token: SeSecurityPrivilege	3376	msiexec.exe
Token: SeSecurityPrivilege	3376	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 812	3904	regsvr32.exe	73
PID 3904 wrote to memory of 812	3904	regsvr32.exe	73
PID 3904 wrote to memory of 812	3904	regsvr32.exe	73
PID 812 wrote to memory of 3376	812	regsvr32.exe	80
PID 812 wrote to memory of 3376	812	regsvr32.exe	80
PID 812 wrote to memory of 3376	812	regsvr32.exe	80
PID 812 wrote to memory of 3376	812	regsvr32.exe	80
PID 812 wrote to memory of 3376	812	regsvr32.exe	80

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2996
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8.dll
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:812
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3376

Network

DNS

dssdffsdf.drld

msiexec.exe

Remote address:

8.8.8.8:53

Request

dssdffsdf.drld

IN A

Response
DNS

dssdffsdf.drld

msiexec.exe

Remote address:

8.8.8.8:53

Request

dssdffsdf.drld

IN A

Response
DNS

dssdffsdf.drld

msiexec.exe

Remote address:

8.8.8.8:53

Request

dssdffsdf.drld

IN A

Response

No results found

8.8.8.8:53

dssdffsdf.drld

dns

msiexec.exe

60 B
135 B
1
1

DNS Request

dssdffsdf.drld
8.8.8.8:53

dssdffsdf.drld

dns

msiexec.exe

60 B
135 B
1
1

DNS Request

dssdffsdf.drld
8.8.8.8:53

dssdffsdf.drld

dns

msiexec.exe

60 B
135 B
1
1

DNS Request

dssdffsdf.drld

Windows 7 deprecation

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.