zloader | da164dc8c1baf31539335b6a14ca2f14cc0f8a4a39523479290437d0810b82e3

General

Target

da164dc8c1baf31539335b6a14ca2f14cc0f8a4a39523479290437d0810b82e3.dll
Size

788KB
MD5

25c4f6ec3f18c71bf9639746b8fe9567
SHA1

9ff48900feed1f2433b3ef1610a5fc2b438152de
SHA256

da164dc8c1baf31539335b6a14ca2f14cc0f8a4a39523479290437d0810b82e3
SHA512

35120b078971e74f473d19fc5f65bd4fe925ff05a00dac080b6a98ceeb1409ce6e2b6757d282559f21fe24e9ee8c95e90a5289e30602ab88203cd0432827637e

Score

10^/10

zloader main 27.03.2020 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

27.03.2020

C2

https://hustlertest.com/sound.php

https://dandycodes.com/sound.php

https://sandyfotos.com/sound.php

https://postgringos.com/sound.php

https://tetraslims.com/sound.php

https://greenrumba.com/sound.php

https://starterdatas.com/sound.php

https://nexycombats.com/sound.php

https://peermems.com/sound.php

https://fotonums.com/sound.php

Attributes

build_id
29

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kias = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Agebac\\iwug.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3424 set thread context of 3376 3424 rundll32.exe msiexec.exe

description	pid	process	target process
PID 3424 set thread context of 3376	3424	rundll32.exe	msiexec.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 3376 msiexec.exe
Token: SeSecurityPrivilege 3376 msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	3376	msiexec.exe
Token: SeSecurityPrivilege	3376	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3116 wrote to memory of 3424	3116	rundll32.exe	rundll32.exe
PID 3116 wrote to memory of 3424	3116	rundll32.exe	rundll32.exe
PID 3116 wrote to memory of 3424	3116	rundll32.exe	rundll32.exe
PID 3424 wrote to memory of 3376	3424	rundll32.exe	msiexec.exe
PID 3424 wrote to memory of 3376	3424	rundll32.exe	msiexec.exe
PID 3424 wrote to memory of 3376	3424	rundll32.exe	msiexec.exe
PID 3424 wrote to memory of 3376	3424	rundll32.exe	msiexec.exe
PID 3424 wrote to memory of 3376	3424	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da164dc8c1baf31539335b6a14ca2f14cc0f8a4a39523479290437d0810b82e3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da164dc8c1baf31539335b6a14ca2f14cc0f8a4a39523479290437d0810b82e3.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 0f7662223740f293099ecb6a82104a09 GkRAjjGHM0u+QhwM/RuLEA.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:3988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3376-132-0x0000000002E00000-0x0000000002E31000-memory.dmp

Filesize
196KB

Download
memory/3376-135-0x0000000002E00000-0x0000000002E30000-memory.dmp

Filesize
192KB

Download
memory/3424-130-0x0000000000610000-0x000000000065D000-memory.dmp

Filesize
308KB

Download
memory/3424-131-0x0000000010000000-0x00000000100C7000-memory.dmp

Filesize
796KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads