Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

080d85b4fb...8a.dll

windows7_x64

10

080d85b4fb...8a.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01/02/2022, 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a.dll

  • Size

    225KB

  • MD5

    c0a3c069a94b35620fc210e4b68b4f01

  • SHA1

    e8b3ec66c28dedaa18b968bcd267a2c912a92e87

  • SHA256

    080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a

  • SHA512

    5bd77b40aaf46cb96c94562585b5bb0fb86e9a80d842c8e36e3c032c0d7c55cecf3aca9168df49bcc43039ccebc12a81af6dd1748962a0ae42d10c28bd6448f6

Score
10/10
zloadermain2020-06-15botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

2020-06-15

C2

https://matarlod.org/web/data

https://datearoc.org/web/data

https://rechnecy.org/web/data

https://ramissal.org/web/data

https://raidesci.org/web/data

https://glartrot.org/web/data

https://revenapo.org/web/data

https://brenonip.org/web/data
Attributes
  • build_id

    7

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/752-54-0x0000000075431000-0x0000000075433000-memory.dmp

    Filesize

    8KB

    Download

  • memory/752-55-0x0000000000110000-0x000000000013A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/752-56-0x0000000000300000-0x000000000032C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1752-57-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1752-58-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1752-59-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1752-61-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download