zloader | 95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e

Target

tim.dll
Size

429KB
MD5

75784d297b3d6fb4d434b6890f6334ab
SHA1

dc945e57be6bdd3cc4894d6cff7dd90a76f6c416
SHA256

95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e
SHA512

f54baffc5b545aaa4d939505181466d7b78bb583fd32da6cbf8cea058fca8869e8bf7bf3272f43d09a7b24dc6e821c9aa0e3875dd2959173e704d57568915fa1

Score

10^/10

zloader personal tim personal tim botnet persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

zloader

Botnet

tim

Campaign

tim

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Extracted

Family

zloader

Botnet

personal

Campaign

personal

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata
suricata: ET MALWARE Observed ZLoader CnC Domain in SNI
suricata: ET MALWARE Observed ZLoader CnC Domain in SNI
suricata
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
suricata

Blocklisted process makes network request 64 IoCs

flow	pid	Process
22	940	msiexec.exe
24	940	msiexec.exe
39	940	msiexec.exe
56	940	msiexec.exe
66	940	msiexec.exe
81	940	msiexec.exe
91	940	msiexec.exe
96	940	msiexec.exe
98	940	msiexec.exe
99	940	msiexec.exe
100	940	msiexec.exe
101	940	msiexec.exe
102	940	msiexec.exe
103	940	msiexec.exe
105	940	msiexec.exe
107	940	msiexec.exe
108	940	msiexec.exe
109	940	msiexec.exe
110	940	msiexec.exe
111	940	msiexec.exe
112	940	msiexec.exe
113	940	msiexec.exe
115	940	msiexec.exe
116	940	msiexec.exe
117	940	msiexec.exe
118	940	msiexec.exe
120	940	msiexec.exe
121	940	msiexec.exe
122	940	msiexec.exe
123	940	msiexec.exe
125	940	msiexec.exe
136	940	msiexec.exe
146	940	msiexec.exe
150	940	msiexec.exe
163	940	msiexec.exe
173	940	msiexec.exe
177	940	msiexec.exe
190	940	msiexec.exe
200	940	msiexec.exe
204	940	msiexec.exe
205	940	msiexec.exe
206	940	msiexec.exe
208	940	msiexec.exe
209	940	msiexec.exe
210	940	msiexec.exe
211	940	msiexec.exe
212	940	msiexec.exe
213	940	msiexec.exe
214	940	msiexec.exe
215	940	msiexec.exe
216	940	msiexec.exe
217	940	msiexec.exe
230	940	msiexec.exe
240	940	msiexec.exe
244	940	msiexec.exe
256	940	msiexec.exe
266	940	msiexec.exe
270	940	msiexec.exe
283	940	msiexec.exe
293	940	msiexec.exe
297	940	msiexec.exe
298	940	msiexec.exe
299	940	msiexec.exe
301	940	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	certutil.exe

Loads dropped DLL 15 IoCs

pid	Process
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe
3052	certutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kepeis = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Suuh\\asewk.dll"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 940	2192	regsvr32.exe	76

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3060194815\335381474.pri	SystemSettings.exe
File opened for modification	C:\Windows\	regsvr32.exe
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	SystemSettings.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3800	net.exe
2340	net.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2032	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe
940	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	940	msiexec.exe
Token: SeSecurityPrivilege	940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: 36	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: 36	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2636	WMIC.exe
Token: SeSecurityPrivilege	2636	WMIC.exe
Token: SeTakeOwnershipPrivilege	2636	WMIC.exe
Token: SeLoadDriverPrivilege	2636	WMIC.exe
Token: SeSystemProfilePrivilege	2636	WMIC.exe
Token: SeSystemtimePrivilege	2636	WMIC.exe
Token: SeProfSingleProcessPrivilege	2636	WMIC.exe
Token: SeIncBasePriorityPrivilege	2636	WMIC.exe
Token: SeCreatePagefilePrivilege	2636	WMIC.exe
Token: SeBackupPrivilege	2636	WMIC.exe
Token: SeRestorePrivilege	2636	WMIC.exe
Token: SeShutdownPrivilege	2636	WMIC.exe
Token: SeDebugPrivilege	2636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2636	WMIC.exe
Token: SeRemoteShutdownPrivilege	2636	WMIC.exe
Token: SeUndockPrivilege	2636	WMIC.exe
Token: SeManageVolumePrivilege	2636	WMIC.exe
Token: 33	2636	WMIC.exe
Token: 34	2636	WMIC.exe
Token: 35	2636	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	SystemSettings.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2192	2168	regsvr32.exe	70
PID 2168 wrote to memory of 2192	2168	regsvr32.exe	70
PID 2168 wrote to memory of 2192	2168	regsvr32.exe	70
PID 2192 wrote to memory of 940	2192	regsvr32.exe	76
PID 2192 wrote to memory of 940	2192	regsvr32.exe	76
PID 2192 wrote to memory of 940	2192	regsvr32.exe	76
PID 2192 wrote to memory of 940	2192	regsvr32.exe	76
PID 2192 wrote to memory of 940	2192	regsvr32.exe	76
PID 940 wrote to memory of 3996	940	msiexec.exe	82
PID 940 wrote to memory of 3996	940	msiexec.exe	82
PID 940 wrote to memory of 3996	940	msiexec.exe	82
PID 940 wrote to memory of 1684	940	msiexec.exe	84
PID 940 wrote to memory of 1684	940	msiexec.exe	84
PID 940 wrote to memory of 1684	940	msiexec.exe	84
PID 3996 wrote to memory of 2032	3996	cmd.exe	86
PID 3996 wrote to memory of 2032	3996	cmd.exe	86
PID 3996 wrote to memory of 2032	3996	cmd.exe	86
PID 940 wrote to memory of 1188	940	msiexec.exe	87
PID 940 wrote to memory of 1188	940	msiexec.exe	87
PID 940 wrote to memory of 1188	940	msiexec.exe	87
PID 1188 wrote to memory of 824	1188	cmd.exe	89
PID 1188 wrote to memory of 824	1188	cmd.exe	89
PID 1188 wrote to memory of 824	1188	cmd.exe	89
PID 824 wrote to memory of 436	824	net.exe	90
PID 824 wrote to memory of 436	824	net.exe	90
PID 824 wrote to memory of 436	824	net.exe	90
PID 940 wrote to memory of 3968	940	msiexec.exe	91
PID 940 wrote to memory of 3968	940	msiexec.exe	91
PID 940 wrote to memory of 3968	940	msiexec.exe	91
PID 3968 wrote to memory of 3800	3968	cmd.exe	93
PID 3968 wrote to memory of 3800	3968	cmd.exe	93
PID 3968 wrote to memory of 3800	3968	cmd.exe	93
PID 940 wrote to memory of 644	940	msiexec.exe	94
PID 940 wrote to memory of 644	940	msiexec.exe	94
PID 940 wrote to memory of 644	940	msiexec.exe	94
PID 644 wrote to memory of 2340	644	cmd.exe	96
PID 644 wrote to memory of 2340	644	cmd.exe	96
PID 644 wrote to memory of 2340	644	cmd.exe	96
PID 940 wrote to memory of 3052	940	msiexec.exe	97
PID 940 wrote to memory of 3052	940	msiexec.exe	97
PID 940 wrote to memory of 3052	940	msiexec.exe	97
PID 940 wrote to memory of 2636	940	msiexec.exe	99
PID 940 wrote to memory of 2636	940	msiexec.exe	99
PID 940 wrote to memory of 2636	940	msiexec.exe	99
PID 940 wrote to memory of 308	940	msiexec.exe	101
PID 940 wrote to memory of 308	940	msiexec.exe	101
PID 940 wrote to memory of 308	940	msiexec.exe	101
PID 940 wrote to memory of 2768	940	msiexec.exe	103
PID 940 wrote to memory of 2768	940	msiexec.exe	103
PID 940 wrote to memory of 2768	940	msiexec.exe	103
PID 940 wrote to memory of 3568	940	msiexec.exe	105
PID 940 wrote to memory of 3568	940	msiexec.exe	105
PID 940 wrote to memory of 3568	940	msiexec.exe	105
PID 940 wrote to memory of 3992	940	msiexec.exe	107
PID 940 wrote to memory of 3992	940	msiexec.exe	107
PID 940 wrote to memory of 3992	940	msiexec.exe	107

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tim.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\tim.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ipconfig /all
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2032
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net config workstation
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\net.exe
        
        net config workstation
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:824
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 config workstation
        6⤵
        
        PID:436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net view /all
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SysWOW64\net.exe
        
        net view /all
        5⤵
        Discovers systems in the same network
        
        PID:3800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net view /all /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:644
    - - C:\Windows\SysWOW64\net.exe
        
        net view /all /domain
        5⤵
        Discovers systems in the same network
        
        PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\Ziobq\certutil.exe
      "C:\Users\Admin\AppData\Local\Temp\Ziobq\certutil.exe" -A -n "daecfi" -t "C,C,C" -i "C:\Users\Admin\AppData\Local\Temp\haaxyt.crt" -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uc9n7vlb.default-release"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3052
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2636
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:3992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2288

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-123-0x0000000002FD0000-0x000000000301F000-memory.dmp

Filesize
316KB

Download
memory/940-136-0x0000000005120000-0x0000000005161000-memory.dmp

Filesize
260KB

Download
memory/940-138-0x0000000007740000-0x000000000791B000-memory.dmp

Filesize
1.9MB

Download
memory/940-132-0x0000000004E90000-0x0000000004EA8000-memory.dmp

Filesize
96KB

Download
memory/940-133-0x0000000006700000-0x00000000067CE000-memory.dmp

Filesize
824KB

Download
memory/940-131-0x0000000003020000-0x0000000003023000-memory.dmp

Filesize
12KB

Download
memory/940-121-0x0000000002E40000-0x0000000002E66000-memory.dmp

Filesize
152KB

Download
memory/940-137-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/2192-117-0x0000000010000000-0x0000000010072000-memory.dmp

Filesize
456KB

Download
memory/2192-116-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download