Overview

overview

10

Static

static

19f90b17a6...c4.dll

windows7_x64

10

19f90b17a6...c4.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-02-2022 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4.dll

  • Size

    634KB

  • MD5

    c7492b61b4138459b9d45b085f3c79c0

  • SHA1

    39b0ab8064f4e0d2e06775a8ef5dbc6a279db88f

  • SHA256

    19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4

  • SHA512

    7b22e4b582ed6ff974862caed5b90cb49437e793fd10b7fcff798edb645e5b5b0dee8690e7ba5c6e7526e9e51259037ec8489d26e1b03c7639780ad27da676ed

Score
10/10
zloadermiguel08/04botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

miguel

Campaign

08/04

C2

https://kuaxbdkvbbmivbxkrrev.com/wp-config.php

https://hwbblyyrb.pw/wp-config.php
Attributes
  • build_id

    135

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1056
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:2900
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1056-133-0x0000000003200000-0x0000000003233000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1056-136-0x0000000003200000-0x0000000003233000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3644-130-0x00000000757D0000-0x0000000075803000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3644-131-0x00000000757D0000-0x000000007588C000-memory.dmp
    Filesize

    752KB

    Download
  • memory/3644-132-0x00000000031E0000-0x00000000031E1000-memory.dmp
    Filesize

    4KB

    Download