zloader | 4180d224eaf6820284b3527f214191b8103d0d4853b45aae37c81b7a0c4e45b3

General

Target

4180d224eaf6820284b3527f214191b8103d0d4853b45aae37c81b7a0c4e45b3.dll
Size

438KB
MD5

6e6ad2e536f308176dfa419a7a53b14b
SHA1

531211dd82b3533d05a654e50683707ad90ba0e0
SHA256

4180d224eaf6820284b3527f214191b8103d0d4853b45aae37c81b7a0c4e45b3
SHA512

942e58994b01c00993df416fca726e185f1ee0cc96d0f3f6f4de690c13e3ee17ad82e2da5c64d7f0d6c759360e2a2504c2e7c4e177d575b9864ef6cc31724cbe

Score

10^/10

zloader kev 02/12 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

kev

Campaign

02/12

C2

https://www.alhasanatbooks.com/reader.php

https://aflim.org.ng/wp-punch.php

https://sardarmohammad.com/reports.php

https://erikarabelo.com.br/server.php

https://thechapelofthehealingcross.org/java.php

https://grebcanualcwilfprofal.ml/wp-smarts.php

Attributes

build_id
261

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 24 IoCs

Processes:

msiexec.exe

flow	pid	process
5	1080	msiexec.exe
6	1080	msiexec.exe
7	1080	msiexec.exe
8	1080	msiexec.exe
9	1080	msiexec.exe
10	1080	msiexec.exe
11	1080	msiexec.exe
12	1080	msiexec.exe
13	1080	msiexec.exe
14	1080	msiexec.exe
15	1080	msiexec.exe
16	1080	msiexec.exe
17	1080	msiexec.exe
18	1080	msiexec.exe
19	1080	msiexec.exe
20	1080	msiexec.exe
21	1080	msiexec.exe
22	1080	msiexec.exe
23	1080	msiexec.exe
24	1080	msiexec.exe
25	1080	msiexec.exe
27	1080	msiexec.exe
28	1080	msiexec.exe
29	1080	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1784 set thread context of 1080 1784 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1080 msiexec.exe
Token: SeSecurityPrivilege 1080 msiexec.exe

description	pid	process	target process
PID 1784 set thread context of 1080	1784	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1080	msiexec.exe
Token: SeSecurityPrivilege	1080	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1552 wrote to memory of 1784	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1784	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1784	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1784	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1784	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1784	1552	rundll32.exe	rundll32.exe
PID 1552 wrote to memory of 1784	1552	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1080	1784	rundll32.exe	msiexec.exe
PID 1784 wrote to memory of 1080	1784	rundll32.exe	msiexec.exe
PID 1784 wrote to memory of 1080	1784	rundll32.exe	msiexec.exe
PID 1784 wrote to memory of 1080	1784	rundll32.exe	msiexec.exe
PID 1784 wrote to memory of 1080	1784	rundll32.exe	msiexec.exe
PID 1784 wrote to memory of 1080	1784	rundll32.exe	msiexec.exe
PID 1784 wrote to memory of 1080	1784	rundll32.exe	msiexec.exe
PID 1784 wrote to memory of 1080	1784	rundll32.exe	msiexec.exe
PID 1784 wrote to memory of 1080	1784	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4180d224eaf6820284b3527f214191b8103d0d4853b45aae37c81b7a0c4e45b3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4180d224eaf6820284b3527f214191b8103d0d4853b45aae37c81b7a0c4e45b3.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-60-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1080-61-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1080-62-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1080-64-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1784-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1784-57-0x00000000744E0000-0x0000000074559000-memory.dmp

Filesize
484KB

Download
memory/1784-56-0x00000000744E0000-0x0000000074506000-memory.dmp

Filesize
152KB

Download
memory/1784-58-0x000000007454D000-0x0000000074551000-memory.dmp

Filesize
16KB

Download
memory/1784-59-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing