Overview

overview

10

Static

static

049c5f6259...d1.dll

windows7_x64

10

049c5f6259...d1.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    155s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 11:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    049c5f625953b02a7aba1c904a14851cdd998ea21ee1e604016f8ba37c952ed1.dll

  • Size

    245KB

  • MD5

    6a75b82edf296a8ae16fe701e1498322

  • SHA1

    87fc5a506b0e60ed1b1fde86e3a08b7d7ab1e23d

  • SHA256

    049c5f625953b02a7aba1c904a14851cdd998ea21ee1e604016f8ba37c952ed1

  • SHA512

    269f714764a7ef03998348ad9e92f20aadac3a10bd3c1c7808baa9962679d960c230b7c5aa0668cbb4b3fab987becd353d30d4982c38ce7d0f8ff261e64caea1

Score
10/10
zloaderdllobnovanekriptovaniybotnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

nekriptovaniy

C2

https://dsdjfhdsufudhjas.pro/gate.php

https://dsdjfhd9ddksaas.pro/gate.php

https://dsdjfhdsufudhjas.name/gate.php

https://dsdjfhd9ddksaas.com/gate.php

https://dsdjfhdsufudhjas.pw/gate.php

https://dsdjfhd9ddksaas.ru/gate.php

https://dsdjfhdsufudhjas.su/gate.php

https://kdsadisadijdsasm2.com/gate.php

https://dsdjfhdsufudhjas.net/gate.php

https://dsdjfhd9ddksaas.eu/gate.php
Attributes
  • build_id

    9

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\049c5f625953b02a7aba1c904a14851cdd998ea21ee1e604016f8ba37c952ed1.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\049c5f625953b02a7aba1c904a14851cdd998ea21ee1e604016f8ba37c952ed1.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:1116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/580-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

    Filesize

    8KB

    Download

  • memory/580-60-0x0000000000130000-0x0000000000174000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1116-57-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1116-56-0x00000000000D0000-0x00000000000FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1116-58-0x00000000000D0000-0x00000000000FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1116-61-0x00000000000D0000-0x00000000000FC000-memory.dmp

    Filesize

    176KB

    Download