Overview

overview

10

Static

static

ca.dll

windows7_x64

10

ca.dll

windows10_x64

10

Analysis

  • max time kernel
    48s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-01-2022 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca.dll

  • Size

    1.7MB

  • MD5

    ca0376cce08c82a5d4c476c4922c4779

  • SHA1

    99644ab0f8d4dde1eb11b7ff88ebd66b21d73f24

  • SHA256

    f0b6c677bac2de611e0866e849cebd64ec5454885fdd7be5bf0c1c5a17846e3a

  • SHA512

    80ad7465be9cfb1e9eabe46e7218c28ffdb71c75b055b9f196f33ac70c3ec80c1e4e9b9ada03d6e4b49415ad1dcea81b2b343df52851f0c2c528131725405813

Score
10/10
zloaderpersonalreturnpersonalreturnbotnettrojan

Malware Config

Extracted

Family

zloader

Botnet

return

Campaign

return

C2

https://asdfghdsajkl.com/gate.php

https://lkjhgfgsdshja.com/gate.php

https://kjdhsasghjds.com/gate.php

https://kdjwhqejqwij.com/gate.php

https://iasudjghnasd.com/gate.php

https://daksjuggdhwa.com/gate.php

https://dkisuaggdjhna.com/gate.php

https://eiqwuggejqw.com/gate.php

https://dquggwjhdmq.com/gate.php

https://djshggadasj.com/gate.php
Attributes
  • build_id

    157

rc4.plain
rsa_pubkey.plain

Extracted

Family

zloader

Botnet

personal

Campaign

personal

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php
Attributes
  • build_id

    157

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca.dll,#1
      2⤵
        PID:1116
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe
          3⤵
            PID:540
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c ipconfig /all
              4⤵
                PID:1732
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /all
                  5⤵
                  • Gathers network information
                  PID:1664
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
                4⤵
                  PID:1704
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c net config workstation
                  4⤵
                    PID:1728
                    • C:\Windows\SysWOW64\net.exe
                      net config workstation
                      5⤵
                        PID:1980
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 config workstation
                          6⤵
                            PID:596
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c net view /all
                        4⤵
                          PID:1928
                          • C:\Windows\SysWOW64\net.exe
                            net view /all
                            5⤵
                            • Discovers systems in the same network
                            PID:1896
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c net view /all /domain
                          4⤵
                            PID:108
                            • C:\Windows\SysWOW64\net.exe
                              net view /all /domain
                              5⤵
                              • Discovers systems in the same network
                              PID:112

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/108-81-0x0000000000000000-mapping.dmp

                      Download

                    • memory/112-82-0x0000000000000000-mapping.dmp

                      Download

                    • memory/540-61-0x0000000000090000-0x00000000000B6000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/540-80-0x00000000050A0000-0x000000000527B000-memory.dmp

                      Filesize

                      1.9MB

                      Download

                    • memory/540-59-0x0000000000090000-0x00000000000B6000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/540-60-0x00000000000C0000-0x00000000000C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/540-71-0x0000000000440000-0x0000000000443000-memory.dmp

                      Filesize

                      12KB

                      Download

                    • memory/540-62-0x0000000000000000-mapping.dmp

                      Download

                    • memory/540-64-0x0000000000090000-0x00000000000B6000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/540-79-0x0000000000D60000-0x0000000000D61000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/540-66-0x0000000000C90000-0x0000000000CDF000-memory.dmp

                      Filesize

                      316KB

                      Download

                    • memory/540-78-0x00000000026C0000-0x0000000002884000-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/540-70-0x00000000006C0000-0x00000000006F5000-memory.dmp

                      Filesize

                      212KB

                      Download

                    • memory/540-72-0x0000000004560000-0x000000000462E000-memory.dmp

                      Filesize

                      824KB

                      Download

                    • memory/596-75-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1116-55-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1116-58-0x0000000010000000-0x00000000101C8000-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/1116-57-0x0000000000130000-0x0000000000131000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1116-56-0x0000000076511000-0x0000000076513000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/1664-68-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1704-65-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1728-73-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1732-67-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1896-77-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1928-76-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1980-74-0x0000000000000000-mapping.dmp

                      Download