zloader | 3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9

Resubmissions

08-12-2023 09:45

231208-lrje3aad83 10

05-02-2022 16:42

220205-t7syfadda8 10

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-02-2022 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9.dll
Size

421KB
MD5

061506b2a0a26fbd20dba69a1105e1b7
SHA1

a4f4bc27be3da2b85a06883615bb96b8a2a79ebb
SHA256

3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9
SHA512

4426c072cb52f2e4ce35ca88c4f20304145d017b5e95f2d35aa68216691b6abde99b6941e1067e50b77342300dea329cb0facbc5ab391272ced658dcf5ee2be9

Score

10^/10

zloader april23fixed april23fixed botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

April23Fixed

Campaign

April23Fixed

http://wmwifbajxxbcxmucxmlc.com/post.php

http://onfovdaqqrwbvdfoqnof.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

Attributes

build_id
120

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	660	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 660	2040	rundll32.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	660	msiexec.exe
Token: SeSecurityPrivilege	660	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2040	2028	rundll32.exe	27
PID 2028 wrote to memory of 2040	2028	rundll32.exe	27
PID 2028 wrote to memory of 2040	2028	rundll32.exe	27
PID 2028 wrote to memory of 2040	2028	rundll32.exe	27
PID 2028 wrote to memory of 2040	2028	rundll32.exe	27
PID 2028 wrote to memory of 2040	2028	rundll32.exe	27
PID 2028 wrote to memory of 2040	2028	rundll32.exe	27
PID 2040 wrote to memory of 660	2040	rundll32.exe	30
PID 2040 wrote to memory of 660	2040	rundll32.exe	30
PID 2040 wrote to memory of 660	2040	rundll32.exe	30
PID 2040 wrote to memory of 660	2040	rundll32.exe	30
PID 2040 wrote to memory of 660	2040	rundll32.exe	30
PID 2040 wrote to memory of 660	2040	rundll32.exe	30
PID 2040 wrote to memory of 660	2040	rundll32.exe	30
PID 2040 wrote to memory of 660	2040	rundll32.exe	30
PID 2040 wrote to memory of 660	2040	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/660-59-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/660-58-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/660-60-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/660-62-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/2040-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/2040-55-0x0000000071EF0000-0x0000000071F24000-memory.dmp

Filesize
208KB

Download
memory/2040-56-0x0000000071EF0000-0x0000000072E6D000-memory.dmp

Filesize
15.5MB

Download
memory/2040-57-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download