zloader | 7e112625f22bd803b96a108a4e809a6d851be13e5e0c41a442ce2e4ce7a31ae8

Resubmissions

10-09-2021 19:48

210910-yjb28saef6 10

Analysis

max time kernel
148s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll
Size

133KB
MD5

6d72546fbb7cae443a46d6a744760f7e
SHA1

c4d715bd92f12d54c2a77e5c1ac1ef1a2d1957f5
SHA256

3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d
SHA512

616e77a5a3e575d04229ecf6b7419c5886e1b2a9e38ba117debb4c97a3bce0b0ad75d9e9da46b747cee62cfa5a016bfc55a1d80aad2db137f7c1f176c4169f69

Score

10^/10

zloader nut 04/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

04/02

https://vidhyashram.edu.in/post.php

https://carmeta-ampuh.com/post.php

https://bestarticleblog.com/post.php

https://alahsateam.com/post.php

https://pyggroup.com.pe/post.php

https://perlisisacsiograv.tk/post.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 34 IoCs

Processes:

msiexec.exe

flow	pid	process
11	1880	msiexec.exe
12	1880	msiexec.exe
15	1880	msiexec.exe
16	1880	msiexec.exe
18	1880	msiexec.exe
19	1880	msiexec.exe
22	1880	msiexec.exe
23	1880	msiexec.exe
24	1880	msiexec.exe
25	1880	msiexec.exe
26	1880	msiexec.exe
27	1880	msiexec.exe
32	1880	msiexec.exe
33	1880	msiexec.exe
35	1880	msiexec.exe
37	1880	msiexec.exe
39	1880	msiexec.exe
40	1880	msiexec.exe
41	1880	msiexec.exe
42	1880	msiexec.exe
43	1880	msiexec.exe
44	1880	msiexec.exe
45	1880	msiexec.exe
46	1880	msiexec.exe
47	1880	msiexec.exe
48	1880	msiexec.exe
49	1880	msiexec.exe
51	1880	msiexec.exe
52	1880	msiexec.exe
53	1880	msiexec.exe
54	1880	msiexec.exe
55	1880	msiexec.exe
56	1880	msiexec.exe
58	1880	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 840 set thread context of 1880 840 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1880 msiexec.exe
Token: SeSecurityPrivilege 1880 msiexec.exe

description	pid	process	target process
PID 840 set thread context of 1880	840	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1880	msiexec.exe
Token: SeSecurityPrivilege	1880	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 900 wrote to memory of 840	900	rundll32.exe	rundll32.exe
PID 900 wrote to memory of 840	900	rundll32.exe	rundll32.exe
PID 900 wrote to memory of 840	900	rundll32.exe	rundll32.exe
PID 840 wrote to memory of 1880	840	rundll32.exe	msiexec.exe
PID 840 wrote to memory of 1880	840	rundll32.exe	msiexec.exe
PID 840 wrote to memory of 1880	840	rundll32.exe	msiexec.exe
PID 840 wrote to memory of 1880	840	rundll32.exe	msiexec.exe
PID 840 wrote to memory of 1880	840	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/840-114-0x0000000000000000-mapping.dmp

Download
memory/1880-115-0x0000000000000000-mapping.dmp

Download
memory/1880-118-0x0000000000A00000-0x0000000000A26000-memory.dmp

Filesize
152KB

Download