zloader | be3d1522f968ad7cc46a996a64b5e5be8044075f6bd1784046e46671bf416b45

Resubmissions

08-12-2023 09:55

231208-lx8bdaae24 10

05-02-2022 10:42

220205-mrwwtsagan 10

Analysis

max time kernel
151s
max time network
138s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-02-2022 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be3d1522f968ad7cc46a996a64b5e5be8044075f6bd1784046e46671bf416b45.dll
Size

472KB
MD5

f500b424c560f00ccd993a46e4b9fcfa
SHA1

d1da2bb6a020462d5d7ac6301395e10d2acb6b17
SHA256

be3d1522f968ad7cc46a996a64b5e5be8044075f6bd1784046e46671bf416b45
SHA512

65018b4c441db4b618a988cb6d9fa46bcfd2754af244e9d1d309295ba1d2477dd1ea6609214bc7d725b3576b4232c81fa260873357652b89529f0dabd6fd14d0

Score

10^/10

zloader april24misha april24misha botnet suricata trojan

Malware Config

Extracted

Family

zloader

Botnet

April24misha

Campaign

April24misha

http://wmwifbajxxbcxmucxmlc.com/post.php

http://onfovdaqqrwbvdfoqnof.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

Attributes

build_id
122

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	336	msiexec.exe
9	336	msiexec.exe
11	336	msiexec.exe
13	336	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 336	2040	rundll32.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	336	msiexec.exe
Token: SeSecurityPrivilege	336	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2040	2036	rundll32.exe	27
PID 2036 wrote to memory of 2040	2036	rundll32.exe	27
PID 2036 wrote to memory of 2040	2036	rundll32.exe	27
PID 2036 wrote to memory of 2040	2036	rundll32.exe	27
PID 2036 wrote to memory of 2040	2036	rundll32.exe	27
PID 2036 wrote to memory of 2040	2036	rundll32.exe	27
PID 2036 wrote to memory of 2040	2036	rundll32.exe	27
PID 2040 wrote to memory of 336	2040	rundll32.exe	30
PID 2040 wrote to memory of 336	2040	rundll32.exe	30
PID 2040 wrote to memory of 336	2040	rundll32.exe	30
PID 2040 wrote to memory of 336	2040	rundll32.exe	30
PID 2040 wrote to memory of 336	2040	rundll32.exe	30
PID 2040 wrote to memory of 336	2040	rundll32.exe	30
PID 2040 wrote to memory of 336	2040	rundll32.exe	30
PID 2040 wrote to memory of 336	2040	rundll32.exe	30
PID 2040 wrote to memory of 336	2040	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be3d1522f968ad7cc46a996a64b5e5be8044075f6bd1784046e46671bf416b45.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\be3d1522f968ad7cc46a996a64b5e5be8044075f6bd1784046e46671bf416b45.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-60-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/336-59-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/336-61-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/336-63-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/2040-55-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/2040-58-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2040-56-0x00000000721E0000-0x0000000072214000-memory.dmp

Filesize
208KB

Download
memory/2040-57-0x00000000721E0000-0x000000007315F000-memory.dmp

Filesize
15.5MB

Download