Overview

overview

10

Static

static

4f1b67de03...2a.dll

windows7_x64

10

4f1b67de03...2a.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    156s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f1b67de033cb3d692e494a0104243edb1504185df21e5086dba1d10d941c12a.dll

  • Size

    877KB

  • MD5

    4773b4f06e91d998f15f56986eca1c04

  • SHA1

    47bd5aa4356028de73fde18268e4891bf7ec5aae

  • SHA256

    4f1b67de033cb3d692e494a0104243edb1504185df21e5086dba1d10d941c12a

  • SHA512

    6709ee7c50729eab38b0ab6fc72948fa66458c277d9109e605824105827db87d9c34e7559c4a9a7c7e2f3908f8c4ac49be587e9210928c99757a600a3b9d3c77

Score
10/10
zloadermain20.04.2020botnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

20.04.2020

C2

https://tremood.com/sound.php

https://soceneo.com/sound.php

https://baatiot.com/sound.php

https://welefus.com/sound.php

https://maremeo.com/sound.php
Attributes
  • build_id

    41

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f1b67de033cb3d692e494a0104243edb1504185df21e5086dba1d10d941c12a.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f1b67de033cb3d692e494a0104243edb1504185df21e5086dba1d10d941c12a.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1504-55-0x0000000075831000-0x0000000075833000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1504-56-0x0000000000270000-0x00000000002BD000-memory.dmp
    Filesize

    308KB

    Download
  • memory/1504-57-0x0000000010000000-0x00000000100DF000-memory.dmp
    Filesize

    892KB

    Download
  • memory/1720-59-0x0000000000110000-0x0000000000111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1720-58-0x00000000000D0000-0x0000000000102000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1720-60-0x00000000000D0000-0x0000000000102000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1720-62-0x00000000000D0000-0x0000000000102000-memory.dmp
    Filesize

    200KB

    Download