Overview

overview

10

Static

static

us.dll

windows7_x64

10

us.dll

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    05-01-2022 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    us.dll

  • Size

    2.2MB

  • MD5

    d2ab32cb696a12c4d3411d2712272d98

  • SHA1

    fb2ba905ea5340fe06734924953a1333fae9385b

  • SHA256

    c12fdcad28de4408e7fd22c39ba6a1c6bc592fb1c1a61a83aaa59893c103c3f0

  • SHA512

    3027118fe1bdc127c44bf25b72dd076e850e81e96c92810ca46b8e80bd29223527ba8cbd71908e66cf0a72a55bfbf59934260f9442822b8e1de85844e66be856

Score
10/10
zloader9092uspersonal9092uspersonalbotnettrojan

Malware Config

Extracted

Family

zloader

Botnet

9092us

Campaign

9092us

C2

https://asdfghdsajkl.com/gate.php

https://lkjhgfgsdshja.com/gate.php

https://kjdhsasghjds.com/gate.php

https://kdjwhqejqwij.com/gate.php

https://iasudjghnasd.com/gate.php

https://daksjuggdhwa.com/gate.php

https://dkisuaggdjhna.com/gate.php

https://eiqwuggejqw.com/gate.php

https://dquggwjhdmq.com/gate.php

https://djshggadasj.com/gate.php
Attributes
  • build_id

    157

rc4.plain
rsa_pubkey.plain

Extracted

Family

zloader

Botnet

personal

Campaign

personal

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php
Attributes
  • build_id

    157

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\us.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\us.dll
      2⤵
        PID:2776
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe
          3⤵
            PID:4040
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c ipconfig /all
              4⤵
                PID:1324
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  5⤵
                  • Gathers network information
                  PID:480
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
                4⤵
                  PID:4012
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c net config workstation
                  4⤵
                    PID:1140
                    • C:\Windows\SysWOW64\net.exe
                      net config workstation
                      5⤵
                        PID:596
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 config workstation
                          6⤵
                            PID:2448
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c net view /all
                        4⤵
                          PID:1156
                          • C:\Windows\SysWOW64\net.exe
                            net view /all
                            5⤵
                            • Discovers systems in the same network
                            PID:1420
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c net view /all /domain
                          4⤵
                            PID:1792
                            • C:\Windows\SysWOW64\net.exe
                              net view /all /domain
                              5⤵
                              • Discovers systems in the same network
                              PID:2156

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/480-126-0x0000000000000000-mapping.dmp

                      Download

                    • memory/596-128-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1140-127-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1156-130-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1324-123-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1420-131-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1792-136-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2156-137-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2448-129-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2776-115-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2776-116-0x0000000000400000-0x000000000054A000-memory.dmp

                      Filesize

                      1.3MB

                      Download

                    • memory/2776-117-0x0000000010000000-0x0000000010245000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/4012-125-0x0000000000000000-mapping.dmp

                      Download

                    • memory/4040-121-0x0000000002B70000-0x0000000002B71000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4040-124-0x0000000005340000-0x000000000538F000-memory.dmp

                      Filesize

                      316KB

                      Download

                    • memory/4040-122-0x0000000002E60000-0x0000000002E86000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/4040-120-0x0000000002B70000-0x0000000002B71000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4040-132-0x0000000006210000-0x0000000006228000-memory.dmp

                      Filesize

                      96KB

                      Download

                    • memory/4040-133-0x0000000005C30000-0x0000000005C33000-memory.dmp

                      Filesize

                      12KB

                      Download

                    • memory/4040-134-0x0000000006430000-0x00000000064FE000-memory.dmp

                      Filesize

                      824KB

                      Download

                    • memory/4040-135-0x0000000006500000-0x0000000006541000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/4040-119-0x0000000000000000-mapping.dmp

                      Download

                    • memory/4040-118-0x0000000002E60000-0x0000000002E86000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/4040-138-0x00000000056E0000-0x00000000056E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4040-139-0x0000000006F10000-0x00000000070EB000-memory.dmp

                      Filesize

                      1.9MB

                      Download