zloader | 14c47cc16c55060409202302048d8b8f97c9b3fa462d7710ab91bb3f3f7a75e8

General

Target

14c47cc16c55060409202302048d8b8f97c9b3fa462d7710ab91bb3f3f7a75e8.dll
Size

370KB
MD5

243104faac6863b5b4a4263f4040f021
SHA1

597fbf324045926a5e3cc1617dc89f83ddd49792
SHA256

14c47cc16c55060409202302048d8b8f97c9b3fa462d7710ab91bb3f3f7a75e8
SHA512

3a0bf5a2731155559faf5167e00662fa69e18f81dfc671ac3132eec84ae0b4293429fda477f8bbb5d8576d64e6d36eac09e00a69c124ae99dc30f37e7868d985

Score

10^/10

zloader nut 30/11 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

30/11

C2

https://aogmphregion.org.za/construction.php

https://aayanent.com/backups.php

https://eagle-family.co.uk/panel.php

https://khanbuilders.uk/wp-punch.php

https://construbienesjg.com/wp-punch.php

https://despautyajobssooka.ml/wp-smarts.php

Attributes

build_id
257

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 9 IoCs

flow	pid	Process
5	1432	msiexec.exe
6	1432	msiexec.exe
7	1432	msiexec.exe
8	1432	msiexec.exe
9	1432	msiexec.exe
10	1432	msiexec.exe
23	1432	msiexec.exe
25	1432	msiexec.exe
26	1432	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 768 set thread context of 1432	768	regsvr32.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1432	msiexec.exe
Token: SeSecurityPrivilege	1432	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 768	1680	regsvr32.exe	27
PID 1680 wrote to memory of 768	1680	regsvr32.exe	27
PID 1680 wrote to memory of 768	1680	regsvr32.exe	27
PID 1680 wrote to memory of 768	1680	regsvr32.exe	27
PID 1680 wrote to memory of 768	1680	regsvr32.exe	27
PID 1680 wrote to memory of 768	1680	regsvr32.exe	27
PID 1680 wrote to memory of 768	1680	regsvr32.exe	27
PID 768 wrote to memory of 1432	768	regsvr32.exe	30
PID 768 wrote to memory of 1432	768	regsvr32.exe	30
PID 768 wrote to memory of 1432	768	regsvr32.exe	30
PID 768 wrote to memory of 1432	768	regsvr32.exe	30
PID 768 wrote to memory of 1432	768	regsvr32.exe	30
PID 768 wrote to memory of 1432	768	regsvr32.exe	30
PID 768 wrote to memory of 1432	768	regsvr32.exe	30
PID 768 wrote to memory of 1432	768	regsvr32.exe	30
PID 768 wrote to memory of 1432	768	regsvr32.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\14c47cc16c55060409202302048d8b8f97c9b3fa462d7710ab91bb3f3f7a75e8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\14c47cc16c55060409202302048d8b8f97c9b3fa462d7710ab91bb3f3f7a75e8.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:1432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/768-57-0x0000000074EA0000-0x0000000074F12000-memory.dmp

Filesize
456KB

Download
memory/768-56-0x0000000074EA0000-0x0000000074EC6000-memory.dmp

Filesize
152KB

Download
memory/768-58-0x0000000074EA0000-0x0000000074F12000-memory.dmp

Filesize
456KB

Download
memory/768-59-0x00000000001A0000-0x0000000000220000-memory.dmp

Filesize
512KB

Download
memory/1432-60-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1432-62-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1432-64-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1432-66-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1680-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing