zloader | 7e112625f22bd803b96a108a4e809a6d851be13e5e0c41a442ce2e4ce7a31ae8

General

Target

3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll
Size

133KB
MD5

6d72546fbb7cae443a46d6a744760f7e
SHA1

c4d715bd92f12d54c2a77e5c1ac1ef1a2d1957f5
SHA256

3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d
SHA512

616e77a5a3e575d04229ecf6b7419c5886e1b2a9e38ba117debb4c97a3bce0b0ad75d9e9da46b747cee62cfa5a016bfc55a1d80aad2db137f7c1f176c4169f69

Score

10^/10

zloader nut 04/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

04/02

C2

https://vidhyashram.edu.in/post.php

https://carmeta-ampuh.com/post.php

https://bestarticleblog.com/post.php

https://alahsateam.com/post.php

https://pyggroup.com.pe/post.php

https://perlisisacsiograv.tk/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

Processes:

msiexec.exe

flow	pid	process
9	1736	msiexec.exe
10	1736	msiexec.exe
11	1736	msiexec.exe
12	1736	msiexec.exe
13	1736	msiexec.exe
14	1736	msiexec.exe
15	1736	msiexec.exe
16	1736	msiexec.exe
17	1736	msiexec.exe
18	1736	msiexec.exe
19	1736	msiexec.exe
20	1736	msiexec.exe
21	1736	msiexec.exe
22	1736	msiexec.exe
23	1736	msiexec.exe
24	1736	msiexec.exe
25	1736	msiexec.exe
26	1736	msiexec.exe
27	1736	msiexec.exe
28	1736	msiexec.exe
29	1736	msiexec.exe
31	1736	msiexec.exe
32	1736	msiexec.exe
33	1736	msiexec.exe
35	1736	msiexec.exe
37	1736	msiexec.exe
38	1736	msiexec.exe
39	1736	msiexec.exe
40	1736	msiexec.exe
41	1736	msiexec.exe
42	1736	msiexec.exe
45	1736	msiexec.exe
46	1736	msiexec.exe
48	1736	msiexec.exe
50	1736	msiexec.exe
51	1736	msiexec.exe
52	1736	msiexec.exe
53	1736	msiexec.exe
54	1736	msiexec.exe
55	1736	msiexec.exe
56	1736	msiexec.exe
57	1736	msiexec.exe
58	1736	msiexec.exe
59	1736	msiexec.exe
60	1736	msiexec.exe
62	1736	msiexec.exe
63	1736	msiexec.exe
64	1736	msiexec.exe
65	1736	msiexec.exe
66	1736	msiexec.exe
67	1736	msiexec.exe
68	1736	msiexec.exe
69	1736	msiexec.exe
70	1736	msiexec.exe
71	1736	msiexec.exe
72	1736	msiexec.exe
73	1736	msiexec.exe
74	1736	msiexec.exe
75	1736	msiexec.exe
76	1736	msiexec.exe
77	1736	msiexec.exe
78	1736	msiexec.exe
79	1736	msiexec.exe
80	1736	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2020 set thread context of 1736 2020 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1736 msiexec.exe
Token: SeSecurityPrivilege 1736 msiexec.exe

description	pid	process	target process
PID 2020 set thread context of 1736	2020	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1736	msiexec.exe
Token: SeSecurityPrivilege	1736	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1676 wrote to memory of 2020	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 2020	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 2020	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 2020	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 2020	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 2020	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 2020	1676	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1736	2020	rundll32.exe	msiexec.exe
PID 2020 wrote to memory of 1736	2020	rundll32.exe	msiexec.exe
PID 2020 wrote to memory of 1736	2020	rundll32.exe	msiexec.exe
PID 2020 wrote to memory of 1736	2020	rundll32.exe	msiexec.exe
PID 2020 wrote to memory of 1736	2020	rundll32.exe	msiexec.exe
PID 2020 wrote to memory of 1736	2020	rundll32.exe	msiexec.exe
PID 2020 wrote to memory of 1736	2020	rundll32.exe	msiexec.exe
PID 2020 wrote to memory of 1736	2020	rundll32.exe	msiexec.exe
PID 2020 wrote to memory of 1736	2020	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-55-0x0000000000000000-mapping.dmp

Download
memory/1736-57-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download
memory/2020-53-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing