Overview

overview

10

Static

static

a240d581a1...d7.dll

windows7_x64

10

a240d581a1...d7.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 09:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a240d581a1bf7b126aa030b1c796e013febb2145da16dd4d4842e5c3502943d7.dll

  • Size

    529KB

  • MD5

    ef0854d5e9d04be20e6676738096a021

  • SHA1

    efa00fb74bd6f635cfd4400df3c56fa35caae10f

  • SHA256

    a240d581a1bf7b126aa030b1c796e013febb2145da16dd4d4842e5c3502943d7

  • SHA512

    fa16a0228ecbc26621a1cb0cc5177c39498083839d60e6aafbec184427a8fab87f031aa0187d4b9c42cef17ac6e9e7b4fb5c9103b75278cd6094b36d49afca20

Score
10/10
zloadermain18.05.2020botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

18.05.2020

C2

https://sigmark.org/sound.php

https://perditta.org/sound.php

https://dentatox.org/sound.php

https://flopperos.org/sound.php

https://teslatis.org/sound.php

https://teamper.org/sound.php

https://gilantec.org/sound.php

https://trebitmore.org/sound.php
Attributes
  • build_id

    54

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a240d581a1bf7b126aa030b1c796e013febb2145da16dd4d4842e5c3502943d7.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a240d581a1bf7b126aa030b1c796e013febb2145da16dd4d4842e5c3502943d7.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/900-54-0x0000000075B11000-0x0000000075B13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/900-55-0x0000000000420000-0x0000000000455000-memory.dmp
    Filesize

    212KB

    Download
  • memory/900-56-0x0000000000420000-0x0000000000455000-memory.dmp
    Filesize

    212KB

    Download
  • memory/900-57-0x0000000000390000-0x00000000003C1000-memory.dmp
    Filesize

    196KB

    Download
  • memory/900-58-0x0000000000420000-0x0000000000455000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1808-59-0x0000000000090000-0x00000000000C5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1808-60-0x0000000000110000-0x0000000000111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1808-61-0x0000000000090000-0x00000000000C5000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1808-63-0x0000000000090000-0x00000000000C5000-memory.dmp
    Filesize

    212KB

    Download