zloader | 08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31

Analysis

max time kernel
138s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
09-03-2022 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31.dll
Size

438KB
MD5

1d09fc6d3308be3bfcc43fe2a8205263
SHA1

07e2d91dc8c1f550baf7e613a5a77f6d575b27d1
SHA256

08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31
SHA512

e83080ff09630198f32e8b86a9ac391b9637d8e16b535d05c80037497c522f7fffe2c005ecfb713b85c4a6f529533d33424ed75312e05bd1b458975d53df8deb

Score

10^/10

zloader kev 02/12 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

kev

Campaign

02/12

https://www.alhasanatbooks.com/reader.php

https://aflim.org.ng/wp-punch.php

https://sardarmohammad.com/reports.php

https://erikarabelo.com.br/server.php

https://thechapelofthehealingcross.org/java.php

https://grebcanualcwilfprofal.ml/wp-smarts.php

Attributes

build_id
261

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 18 IoCs

Processes:

msiexec.exe

flow	pid	process
34	544	msiexec.exe
35	544	msiexec.exe
38	544	msiexec.exe
39	544	msiexec.exe
40	544	msiexec.exe
41	544	msiexec.exe
46	544	msiexec.exe
47	544	msiexec.exe
49	544	msiexec.exe
50	544	msiexec.exe
51	544	msiexec.exe
52	544	msiexec.exe
54	544	msiexec.exe
55	544	msiexec.exe
56	544	msiexec.exe
57	544	msiexec.exe
58	544	msiexec.exe
59	544	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 988 set thread context of 544 988 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 544 msiexec.exe
Token: SeSecurityPrivilege 544 msiexec.exe

description	pid	process	target process
PID 988 set thread context of 544	988	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	544	msiexec.exe
Token: SeSecurityPrivilege	544	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3168 wrote to memory of 988	3168	rundll32.exe	rundll32.exe
PID 3168 wrote to memory of 988	3168	rundll32.exe	rundll32.exe
PID 3168 wrote to memory of 988	3168	rundll32.exe	rundll32.exe
PID 988 wrote to memory of 544	988	rundll32.exe	msiexec.exe
PID 988 wrote to memory of 544	988	rundll32.exe	msiexec.exe
PID 988 wrote to memory of 544	988	rundll32.exe	msiexec.exe
PID 988 wrote to memory of 544	988	rundll32.exe	msiexec.exe
PID 988 wrote to memory of 544	988	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\08cb15d9f0002f9c8cddc10e7e6a63fc9e621adc53686c0ed6cf296f60a83f31.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-134-0x0000000002DB0000-0x0000000002DD6000-memory.dmp

Filesize
152KB

Download
memory/544-137-0x0000000002DB0000-0x0000000002DD6000-memory.dmp

Filesize
152KB

Download
memory/988-130-0x0000000074DC0000-0x0000000074DE6000-memory.dmp

Filesize
152KB

Download
memory/988-131-0x0000000074DC0000-0x0000000074E39000-memory.dmp

Filesize
484KB

Download
memory/988-133-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/988-132-0x0000000074DC0000-0x0000000074E39000-memory.dmp

Filesize
484KB

Download