Overview

overview

10

Static

static

4180d224ea...b3.dll

windows7_x64

10

4180d224ea...b3.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    15-02-2022 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4180d224eaf6820284b3527f214191b8103d0d4853b45aae37c81b7a0c4e45b3.dll

  • Size

    438KB

  • MD5

    6e6ad2e536f308176dfa419a7a53b14b

  • SHA1

    531211dd82b3533d05a654e50683707ad90ba0e0

  • SHA256

    4180d224eaf6820284b3527f214191b8103d0d4853b45aae37c81b7a0c4e45b3

  • SHA512

    942e58994b01c00993df416fca726e185f1ee0cc96d0f3f6f4de690c13e3ee17ad82e2da5c64d7f0d6c759360e2a2504c2e7c4e177d575b9864ef6cc31724cbe

Score
10/10
zloaderkev02/12botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

kev

Campaign

02/12

C2

https://www.alhasanatbooks.com/reader.php

https://aflim.org.ng/wp-punch.php

https://sardarmohammad.com/reports.php

https://erikarabelo.com.br/server.php

https://thechapelofthehealingcross.org/java.php

https://grebcanualcwilfprofal.ml/wp-smarts.php
Attributes
  • build_id

    261

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 24 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4180d224eaf6820284b3527f214191b8103d0d4853b45aae37c81b7a0c4e45b3.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4180d224eaf6820284b3527f214191b8103d0d4853b45aae37c81b7a0c4e45b3.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1080-60-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1080-61-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1080-62-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1080-64-0x0000000000090000-0x00000000000B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1784-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1784-57-0x00000000744E0000-0x0000000074559000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1784-56-0x00000000744E0000-0x0000000074506000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1784-58-0x000000007454D000-0x0000000074551000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1784-59-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

    Download