Overview

overview

10

Static

static

47b6fae16a...d5.dll

windows7_x64

10

47b6fae16a...d5.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47b6fae16a8c59bf1be620cb167e2673af2e0ffa92503fadf101b4bd47132ed5.dll

  • Size

    257KB

  • MD5

    a36249de66b9789bc13d15e0607ef837

  • SHA1

    b2ec5f094cdfed3d330e634c7cd68f6aca937fd1

  • SHA256

    47b6fae16a8c59bf1be620cb167e2673af2e0ffa92503fadf101b4bd47132ed5

  • SHA512

    9b2bfc147cbf3b26c01faf503a08fd03a890d62eed7c4300b0a640681f93704d27b43beb8671e91711af33366ea306d06c53599fc709aed181f1f2d58c681eab

Score
10/10
zloadermain2020-06-28botnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

2020-06-28

C2

https://glartrot.org/web/data

https://revenapo.org/web/data

https://findulz.com/web/data

https://fredoam.com/web/data

https://loinecs.org/web/data

https://arosora.org/web/data

https://cheneer.org/web/data

https://esplody.org/web/data
Attributes
  • build_id

    18

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Sets service image path in registry 2 TTPs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\47b6fae16a8c59bf1be620cb167e2673af2e0ffa92503fadf101b4bd47132ed5.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\47b6fae16a8c59bf1be620cb167e2673af2e0ffa92503fadf101b4bd47132ed5.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3904
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:3516
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:3852
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 9d410a7794a6c04fa6fbbc51a8d55a29 7csonUkDqECE4mvr7GdPcg.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:1928
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k wusvcs -p
      1⤵
        PID:3100

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3516-131-0x0000000000C80000-0x0000000000CAC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/3516-135-0x0000000000C80000-0x0000000000CAC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/3904-130-0x0000000004C90000-0x0000000004CE0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3904-134-0x0000000004C90000-0x0000000004CE0000-memory.dmp

        Filesize

        320KB

        Download