Overview

overview

10

Static

static

47b6fae16a...d5.dll

windows7_x64

10

47b6fae16a...d5.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47b6fae16a8c59bf1be620cb167e2673af2e0ffa92503fadf101b4bd47132ed5.dll

  • Size

    257KB

  • MD5

    a36249de66b9789bc13d15e0607ef837

  • SHA1

    b2ec5f094cdfed3d330e634c7cd68f6aca937fd1

  • SHA256

    47b6fae16a8c59bf1be620cb167e2673af2e0ffa92503fadf101b4bd47132ed5

  • SHA512

    9b2bfc147cbf3b26c01faf503a08fd03a890d62eed7c4300b0a640681f93704d27b43beb8671e91711af33366ea306d06c53599fc709aed181f1f2d58c681eab

Score
10/10
zloadermain2020-06-28botnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

2020-06-28

C2

https://glartrot.org/web/data

https://revenapo.org/web/data

https://findulz.com/web/data

https://fredoam.com/web/data

https://loinecs.org/web/data

https://arosora.org/web/data

https://cheneer.org/web/data

https://esplody.org/web/data
Attributes
  • build_id

    18

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\47b6fae16a8c59bf1be620cb167e2673af2e0ffa92503fadf101b4bd47132ed5.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\47b6fae16a8c59bf1be620cb167e2673af2e0ffa92503fadf101b4bd47132ed5.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:1688

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/940-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1084-55-0x0000000076121000-0x0000000076123000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1084-56-0x0000000000160000-0x00000000001B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1084-60-0x0000000000160000-0x00000000001B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1688-58-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-57-0x0000000000150000-0x000000000017C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1688-59-0x0000000000150000-0x000000000017C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1688-62-0x0000000000150000-0x000000000017C000-memory.dmp

    Filesize

    176KB

    Download