Overview

overview

10

Static

static

us.dll

windows7_x64

10

us.dll

windows10_x64

10

Analysis

  • max time kernel
    75s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    07-12-2021 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    us.dll

  • Size

    507KB

  • MD5

    e37ed649a3777bff725e4a0074a9c8e3

  • SHA1

    7a57118ee3122c9bdb45cf7a9b2efd72fe258771

  • SHA256

    dbc9134eea10cc88289908e112cde9a69334c779a3a659da17d3656f48a7f844

  • SHA512

    62ac3aad9932a3159c02ef66b7da48c7f4d596e936dc67afe8902554cfc3fbab71c21419b95c67617222f06747f96a9906d280a4049c82a2f9bbab769739c569

Score
10/10
zloader9092uspersonal9092uspersonalbotnettrojan

Malware Config

Extracted

Family

zloader

Botnet

9092us

Campaign

9092us

C2

https://asdfghdsajkl.com/gate.php

https://lkjhgfgsdshja.com/gate.php

https://kjdhsasghjds.com/gate.php

https://kdjwhqejqwij.com/gate.php

https://iasudjghnasd.com/gate.php

https://daksjuggdhwa.com/gate.php

https://dkisuaggdjhna.com/gate.php

https://eiqwuggejqw.com/gate.php

https://dquggwjhdmq.com/gate.php

https://djshggadasj.com/gate.php
Attributes
  • build_id

    157

rc4.plain
rsa_pubkey.plain

Extracted

Family

zloader

Botnet

personal

Campaign

personal

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php
Attributes
  • build_id

    157

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\us.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\us.dll
      2⤵
        PID:3884
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe
          3⤵
            PID:600
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c ipconfig /all
              4⤵
                PID:3968
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  5⤵
                  • Gathers network information
                  PID:376
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
                4⤵
                  PID:3928
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c net config workstation
                  4⤵
                    PID:1292
                    • C:\Windows\SysWOW64\net.exe
                      net config workstation
                      5⤵
                        PID:1604
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 config workstation
                          6⤵
                            PID:1784
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c net view /all
                        4⤵
                          PID:2084
                          • C:\Windows\SysWOW64\net.exe
                            net view /all
                            5⤵
                            • Discovers systems in the same network
                            PID:2160
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c net view /all /domain
                          4⤵
                            PID:3244
                            • C:\Windows\SysWOW64\net.exe
                              net view /all /domain
                              5⤵
                              • Discovers systems in the same network
                              PID:3556

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/376-128-0x0000000000000000-mapping.dmp

                      Download

                    • memory/600-136-0x00000000058C0000-0x00000000058C3000-memory.dmp

                      Filesize

                      12KB

                      Download

                    • memory/600-140-0x0000000007660000-0x000000000783B000-memory.dmp

                      Filesize

                      1.9MB

                      Download

                    • memory/600-121-0x0000000002AE0000-0x0000000002B06000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/600-122-0x0000000000000000-mapping.dmp

                      Download

                    • memory/600-124-0x00000000027F0000-0x00000000027F1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/600-123-0x00000000027F0000-0x00000000027F1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/600-125-0x0000000002AE0000-0x0000000002B06000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/600-139-0x0000000005350000-0x0000000005351000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/600-138-0x0000000005EC0000-0x0000000005F01000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/600-137-0x00000000068A0000-0x000000000696E000-memory.dmp

                      Filesize

                      824KB

                      Download

                    • memory/600-135-0x00000000058A0000-0x00000000058B8000-memory.dmp

                      Filesize

                      96KB

                      Download

                    • memory/600-131-0x0000000004FC0000-0x000000000500F000-memory.dmp

                      Filesize

                      316KB

                      Download

                    • memory/1292-129-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1604-130-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1784-132-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2084-133-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2160-134-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3244-141-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3556-142-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3884-120-0x0000000010000000-0x000000001009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3884-118-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3884-119-0x0000000003350000-0x0000000003351000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3928-127-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3968-126-0x0000000000000000-mapping.dmp

                      Download