zloader | 219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa

Analysis

max time kernel
124s
max time network
126s
platform
windows7_x64
resource
win7-en-20211208
submitted
01/02/2022, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll
Size

276KB
MD5

0448f77a9999f945a136305716eabe49
SHA1

7d906884962033eb5381fcb018fce79779578584
SHA256

219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa
SHA512

3270f2a146bf94a5e6981e6d99fde8b9204bb90f5b6b04305261fb6bc10541664bd2f8d6cde290e4296f81c602b649ed6ffc6315c67590506625e59f8263e6db

Score

10^/10

zloader dllobnova hihiupdate botnet persistence suricata trojan

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

hihiupdate

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

https://dsdjfhdsufudhjas.info/gate.php

https://fdsjfjdsfjdsdsjajjs.info/gate.php

https://idisaudhasdhasdj.info/gate.php

https://dsdjfhdsufudhjas.pro/gate.php

https://dsdjfhd9ddksaas.pro/gate.php

Attributes

build_id
7

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata

Blocklisted process makes network request 8 IoCs

flow	pid	Process
5	1488	msiexec.exe
7	1488	msiexec.exe
9	1488	msiexec.exe
11	1488	msiexec.exe
13	1488	msiexec.exe
15	1488	msiexec.exe
17	1488	msiexec.exe
19	1488	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anaw = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Azbo\\olig.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 1488	1588	rundll32.exe	30

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1488	msiexec.exe
Token: SeSecurityPrivilege	1488	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1588	740	rundll32.exe	27
PID 740 wrote to memory of 1588	740	rundll32.exe	27
PID 740 wrote to memory of 1588	740	rundll32.exe	27
PID 740 wrote to memory of 1588	740	rundll32.exe	27
PID 740 wrote to memory of 1588	740	rundll32.exe	27
PID 740 wrote to memory of 1588	740	rundll32.exe	27
PID 740 wrote to memory of 1588	740	rundll32.exe	27
PID 1588 wrote to memory of 1488	1588	rundll32.exe	30
PID 1588 wrote to memory of 1488	1588	rundll32.exe	30
PID 1588 wrote to memory of 1488	1588	rundll32.exe	30
PID 1588 wrote to memory of 1488	1588	rundll32.exe	30
PID 1588 wrote to memory of 1488	1588	rundll32.exe	30
PID 1588 wrote to memory of 1488	1588	rundll32.exe	30
PID 1588 wrote to memory of 1488	1588	rundll32.exe	30
PID 1588 wrote to memory of 1488	1588	rundll32.exe	30
PID 1588 wrote to memory of 1488	1588	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-57-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1488-56-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/1488-58-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/1488-62-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/1588-55-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download
memory/1588-59-0x0000000074E60000-0x0000000074E71000-memory.dmp

Filesize
68KB

Download
memory/1588-60-0x0000000074E10000-0x0000000074E56000-memory.dmp

Filesize
280KB

Download