zloader | 08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31

General

Target

08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31.dll
Size

438KB
MD5

1d09fc6d3308be3bfcc43fe2a8205263
SHA1

07e2d91dc8c1f550baf7e613a5a77f6d575b27d1
SHA256

08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31
SHA512

e83080ff09630198f32e8b86a9ac391b9637d8e16b535d05c80037497c522f7fffe2c005ecfb713b85c4a6f529533d33424ed75312e05bd1b458975d53df8deb

Score

10^/10

zloader kev 02/12 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

kev

Campaign

02/12

C2

https://www.alhasanatbooks.com/reader.php

https://aflim.org.ng/wp-punch.php

https://sardarmohammad.com/reports.php

https://erikarabelo.com.br/server.php

https://thechapelofthehealingcross.org/java.php

https://grebcanualcwilfprofal.ml/wp-smarts.php

Attributes

build_id
261

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 54 IoCs

Processes:

msiexec.exe

flow	pid	process
5	976	msiexec.exe
6	976	msiexec.exe
7	976	msiexec.exe
8	976	msiexec.exe
9	976	msiexec.exe
10	976	msiexec.exe
11	976	msiexec.exe
12	976	msiexec.exe
13	976	msiexec.exe
14	976	msiexec.exe
15	976	msiexec.exe
16	976	msiexec.exe
17	976	msiexec.exe
18	976	msiexec.exe
19	976	msiexec.exe
20	976	msiexec.exe
21	976	msiexec.exe
22	976	msiexec.exe
23	976	msiexec.exe
24	976	msiexec.exe
25	976	msiexec.exe
27	976	msiexec.exe
28	976	msiexec.exe
29	976	msiexec.exe
33	976	msiexec.exe
34	976	msiexec.exe
35	976	msiexec.exe
36	976	msiexec.exe
37	976	msiexec.exe
38	976	msiexec.exe
41	976	msiexec.exe
42	976	msiexec.exe
43	976	msiexec.exe
44	976	msiexec.exe
45	976	msiexec.exe
46	976	msiexec.exe
47	976	msiexec.exe
48	976	msiexec.exe
49	976	msiexec.exe
50	976	msiexec.exe
51	976	msiexec.exe
52	976	msiexec.exe
53	976	msiexec.exe
54	976	msiexec.exe
55	976	msiexec.exe
56	976	msiexec.exe
57	976	msiexec.exe
58	976	msiexec.exe
59	976	msiexec.exe
60	976	msiexec.exe
61	976	msiexec.exe
63	976	msiexec.exe
64	976	msiexec.exe
65	976	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1804 set thread context of 976 1804 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 976 msiexec.exe
Token: SeSecurityPrivilege 976 msiexec.exe

description	pid	process	target process
PID 1804 set thread context of 976	1804	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	976	msiexec.exe
Token: SeSecurityPrivilege	976	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1184 wrote to memory of 1804	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 1804	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 1804	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 1804	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 1804	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 1804	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 1804	1184	rundll32.exe	rundll32.exe
PID 1804 wrote to memory of 976	1804	rundll32.exe	msiexec.exe
PID 1804 wrote to memory of 976	1804	rundll32.exe	msiexec.exe
PID 1804 wrote to memory of 976	1804	rundll32.exe	msiexec.exe
PID 1804 wrote to memory of 976	1804	rundll32.exe	msiexec.exe
PID 1804 wrote to memory of 976	1804	rundll32.exe	msiexec.exe
PID 1804 wrote to memory of 976	1804	rundll32.exe	msiexec.exe
PID 1804 wrote to memory of 976	1804	rundll32.exe	msiexec.exe
PID 1804 wrote to memory of 976	1804	rundll32.exe	msiexec.exe
PID 1804 wrote to memory of 976	1804	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-60-0x00000000000B0000-0x00000000000D6000-memory.dmp

Filesize
152KB

Download
memory/976-62-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/976-64-0x00000000000B0000-0x00000000000D6000-memory.dmp

Filesize
152KB

Download
memory/976-66-0x00000000000B0000-0x00000000000D6000-memory.dmp

Filesize
152KB

Download
memory/1804-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1804-57-0x0000000074AC0000-0x0000000074B39000-memory.dmp

Filesize
484KB

Download
memory/1804-56-0x0000000074AC0000-0x0000000074AE6000-memory.dmp

Filesize
152KB

Download
memory/1804-58-0x0000000074AC0000-0x0000000074B39000-memory.dmp

Filesize
484KB

Download
memory/1804-59-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing