Overview

overview

10

Static

static

tim.dll

windows7_x64

10

tim.dll

windows10_x64

10

Resubmissions

12/10/2021, 18:50 UTC

211012-xhew3adbd2 10

27/09/2021, 20:56 UTC

210927-zrbbcaabhl 10

14/09/2021, 15:35 UTC

210914-s1ddqsfhf8 10

Analysis

  • max time kernel
    50s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    12/10/2021, 18:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tim.dll

  • Size

    429KB

  • MD5

    75784d297b3d6fb4d434b6890f6334ab

  • SHA1

    dc945e57be6bdd3cc4894d6cff7dd90a76f6c416

  • SHA256

    95a8370c36d81ea596d83892115ce6b90717396c8f657b17696c7eeb2dba1d2e

  • SHA512

    f54baffc5b545aaa4d939505181466d7b78bb583fd32da6cbf8cea058fca8869e8bf7bf3272f43d09a7b24dc6e821c9aa0e3875dd2959173e704d57568915fa1

Score
10/10
zloadertimtimbotnettrojan

Malware Config

Extracted

Family

zloader

Botnet

tim

Campaign

tim

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php
rc4.plain
1
03d5ae30a0bd934a23b6a7f0756aa504
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgH8lq265O2JF4ppogKnQ5oPloJ9n
3
DIZIh5wXL6vve72p5RlYHq42Ui3GRSDMLEsoJRaak7WnNKp1AVop9Qj7f7DEvHZ+
4
jgjeT1axP2rt4FTF4wT4ZDPUDVdmGQhfozluc328jBVLX5HXaYLtEhlI7Hc1Syhk
5
+pXowBVJ8emFjkANAgMBAAE=
6
-----END PUBLIC KEY-----

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Drops file in Windows directory 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tim.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\tim.dll
      2⤵
      • Drops file in Windows directory
      PID:1936
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
          PID:1764

    Network

    • flag-us
      DNS
      iqowijsdakm.com
      Remote address:
      8.8.8.8:53
      Request
      iqowijsdakm.com
      IN A
      Response
    • flag-us
      DNS
      wiewjdmkfjn.com
      Remote address:
      8.8.8.8:53
      Request
      wiewjdmkfjn.com
      IN A
      Response
    • flag-us
      DNS
      dksaoidiakjd.com
      Remote address:
      8.8.8.8:53
      Request
      dksaoidiakjd.com
      IN A
      Response
    • flag-us
      DNS
      iweuiqjdakjd.com
      Remote address:
      8.8.8.8:53
      Request
      iweuiqjdakjd.com
      IN A
      Response
      iweuiqjdakjd.com
      IN A
      72.5.161.12
    • flag-us
      DNS
      yuidskadjna.com
      Remote address:
      8.8.8.8:53
      Request
      yuidskadjna.com
      IN A
      Response
      yuidskadjna.com
      IN A
      87.106.18.125
    • flag-us
      DNS
      olksmadnbdj.com
      Remote address:
      8.8.8.8:53
      Request
      olksmadnbdj.com
      IN A
      Response
      olksmadnbdj.com
      IN A
      72.251.233.245
    • flag-us
      DNS
      odsakmdfnbs.com
      Remote address:
      8.8.8.8:53
      Request
      odsakmdfnbs.com
      IN A
      Response
    • 72.5.161.12:443
      iweuiqjdakjd.com
      tls
      1.5kB
       2.3kB
       11
      7
    • 87.106.18.125:443
      yuidskadjna.com
      tls
      1.2kB
       2.0kB
       7
      7
    • 72.251.233.245:443
      olksmadnbdj.com
      tls
      1.5kB
       2.3kB
       9
      7
    • 8.8.8.8:53
      iqowijsdakm.com
      dns
      61 B
       134 B
       1
      1

      DNS Request

      iqowijsdakm.com

    • 8.8.8.8:53
      wiewjdmkfjn.com
      dns
      61 B
       134 B
       1
      1

      DNS Request

      wiewjdmkfjn.com

    • 8.8.8.8:53
      dksaoidiakjd.com
      dns
      62 B
       135 B
       1
      1

      DNS Request

      dksaoidiakjd.com

    • 8.8.8.8:53
      iweuiqjdakjd.com
      dns
      62 B
       78 B
       1
      1

      DNS Request

      iweuiqjdakjd.com

      DNS Response

      72.5.161.12

    • 8.8.8.8:53
      yuidskadjna.com
      dns
      61 B
       77 B
       1
      1

      DNS Request

      yuidskadjna.com

      DNS Response

      87.106.18.125

    • 8.8.8.8:53
      olksmadnbdj.com
      dns
      61 B
       77 B
       1
      1

      DNS Request

      olksmadnbdj.com

      DNS Response

      72.251.233.245

    • 8.8.8.8:53
      odsakmdfnbs.com
      dns
      61 B
       134 B
       1
      1

      DNS Request

      odsakmdfnbs.com

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1488-60-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1764-65-0x00000000000E0000-0x0000000000106000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1764-66-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-67-0x00000000000E0000-0x0000000000106000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1764-70-0x00000000000E0000-0x0000000000106000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1936-62-0x0000000075801000-0x0000000075803000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1936-63-0x0000000000180000-0x0000000000181000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1936-64-0x0000000010000000-0x0000000010072000-memory.dmp

      Filesize

      456KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.