zloader | 6348bded936831629494c1d820fe8e3dbe3fb4d9f96940bbb4ca0c1872bef0ad

Resubmissions

14/04/2022, 02:16

220414-cp91kagbem 10

04/10/2021, 22:37

211004-2jzp3shcgp 10

Analysis

max time kernel
150s
max time network
66s
platform
windows10_x64
resource
win10v20210408
submitted
04/10/2021, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.dll
Size

444KB
MD5

c6b350b0d6f8dc37c144f76a57c9dbe7
SHA1

e637d8a29d46281a5fa97d84af1dfe1d72223157
SHA256

6348bded936831629494c1d820fe8e3dbe3fb4d9f96940bbb4ca0c1872bef0ad
SHA512

5220ff154b731a8a1d1e768552fee037cacb12412eff931384c105d4caa5483da64c11b4839ab44885214d4d8831b280687b54b2438f89a230fce68bf7692dff

Score

10^/10

zloader 26/03 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

26/03

https://vfgthujbxd.xyz/milagrecf.php

https://todiks.xyz/milagrecf.php

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anhudao = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Ufalat\\ociko.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 3420	1000	rundll32.exe	76

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3420	msiexec.exe
Token: SeSecurityPrivilege	3420	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1000	904	rundll32.exe	68
PID 904 wrote to memory of 1000	904	rundll32.exe	68
PID 904 wrote to memory of 1000	904	rundll32.exe	68
PID 1000 wrote to memory of 3420	1000	rundll32.exe	76
PID 1000 wrote to memory of 3420	1000	rundll32.exe	76
PID 1000 wrote to memory of 3420	1000	rundll32.exe	76
PID 1000 wrote to memory of 3420	1000	rundll32.exe	76
PID 1000 wrote to memory of 3420	1000	rundll32.exe	76

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-116-0x0000000074100000-0x0000000074185000-memory.dmp

Filesize
532KB

Download
memory/1000-115-0x0000000074100000-0x000000007412E000-memory.dmp

Filesize
184KB

Download
memory/1000-117-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/3420-121-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download