zloader | 034f61d86de99210eb32a2dca27a3ad883f54750c46cdec4fcc53050b2f716eb

General

Target

us12.23.dll
Size

1.9MB
MD5

1b4eb327a40a14ac4afa627125b63056
SHA1

2c0bc274bc2fd9dab82330b837711355170fc606
SHA256

034f61d86de99210eb32a2dca27a3ad883f54750c46cdec4fcc53050b2f716eb
SHA512

b94770dbf4339677dde0583f0da87bba1fb1c5c0eb028f1697976b24d6298ed43a2d2d1062c8c13a569a3db3032856a37d640a94fe4461986c2d44d1c4c4c819

Score

10^/10

zloader 9092us personal 9092us personal botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

9092us

Campaign

9092us

C2

https://asdfghdsajkl.com/gate.php

https://lkjhgfgsdshja.com/gate.php

https://kjdhsasghjds.com/gate.php

https://kdjwhqejqwij.com/gate.php

https://iasudjghnasd.com/gate.php

https://daksjuggdhwa.com/gate.php

https://dkisuaggdjhna.com/gate.php

https://eiqwuggejqw.com/gate.php

https://dquggwjhdmq.com/gate.php

https://djshggadasj.com/gate.php

Attributes

build_id
157

rc4.plain

rsa_pubkey.plain

Extracted

Family

zloader

Botnet

personal

Campaign

personal

C2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

Attributes

build_id
157

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2408	net.exe
3924	net.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1228	ipconfig.exe

Runs net.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2520	2416	regsvr32.exe	68
PID 2416 wrote to memory of 2520	2416	regsvr32.exe	68
PID 2416 wrote to memory of 2520	2416	regsvr32.exe	68

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\us12.23.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\us12.23.dll
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    PID:1324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ipconfig /all
      4⤵
      PID:404
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:1228
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net config workstation
      4⤵
      PID:1860
    - - C:\Windows\SysWOW64\net.exe
        
        net config workstation
        5⤵
        
        PID:3168
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 config workstation
        6⤵
        
        PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net view /all
      4⤵
      PID:3028
    - - C:\Windows\SysWOW64\net.exe
        
        net view /all
        5⤵
        Discovers systems in the same network
        
        PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net view /all /domain
      4⤵
      PID:4068
    - - C:\Windows\SysWOW64\net.exe
        
        net view /all /domain
        5⤵
        Discovers systems in the same network
        
        PID:3924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-134-0x0000000004E70000-0x0000000004E73000-memory.dmp

Filesize
12KB

Download
memory/1324-126-0x0000000004D50000-0x0000000004D9F000-memory.dmp

Filesize
316KB

Download
memory/1324-121-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1324-122-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1324-123-0x0000000002870000-0x0000000002896000-memory.dmp

Filesize
152KB

Download
memory/1324-119-0x0000000002870000-0x0000000002896000-memory.dmp

Filesize
152KB

Download
memory/1324-133-0x0000000005630000-0x0000000005648000-memory.dmp

Filesize
96KB

Download
memory/1324-137-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/1324-135-0x0000000005E60000-0x0000000005F2E000-memory.dmp

Filesize
824KB

Download
memory/1324-138-0x00000000065F0000-0x00000000067CB000-memory.dmp

Filesize
1.9MB

Download
memory/1324-136-0x0000000006140000-0x0000000006181000-memory.dmp

Filesize
260KB

Download
memory/2520-118-0x0000000010000000-0x00000000101ED000-memory.dmp

Filesize
1.9MB

Download
memory/2520-117-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads