zloader | acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07

General

Target

acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07.dll
Size

520KB
MD5

0ffead3ef4030a202a8e55ce6efd1aba
SHA1

8642810c98e1f84a9ee3dc69d3b1ff2672bb8f25
SHA256

acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07
SHA512

1dc3a5773ceb4f53dee9105e6074c5d3c0fab6ca21c917949b6a2d6845f002650d4537d1275d07191cde79b8920df9c95e92fd4f915c5a109075e982a4132019

Score

10^/10

zloader nut 11/12 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

11/12

C2

https://www.businessinsurancelaw.com/wp-punch.php

https://squire.ae/wp-punch.php

https://lamun.pk/wp-punch.php

https://www.rcclabbd.com/wp-punch.php

https://thecype.com/wp-punch.php

https://theterteboltallbrow.tk/wp-smarts.php

Attributes

build_id
286

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 58 IoCs

Processes:

msiexec.exe

flow	pid	process
5	1324	msiexec.exe
7	1324	msiexec.exe
8	1324	msiexec.exe
9	1324	msiexec.exe
10	1324	msiexec.exe
11	1324	msiexec.exe
12	1324	msiexec.exe
20	1324	msiexec.exe
21	1324	msiexec.exe
22	1324	msiexec.exe
23	1324	msiexec.exe
24	1324	msiexec.exe
25	1324	msiexec.exe
26	1324	msiexec.exe
27	1324	msiexec.exe
28	1324	msiexec.exe
29	1324	msiexec.exe
30	1324	msiexec.exe
31	1324	msiexec.exe
32	1324	msiexec.exe
33	1324	msiexec.exe
34	1324	msiexec.exe
35	1324	msiexec.exe
36	1324	msiexec.exe
37	1324	msiexec.exe
38	1324	msiexec.exe
39	1324	msiexec.exe
40	1324	msiexec.exe
41	1324	msiexec.exe
42	1324	msiexec.exe
43	1324	msiexec.exe
45	1324	msiexec.exe
46	1324	msiexec.exe
47	1324	msiexec.exe
48	1324	msiexec.exe
49	1324	msiexec.exe
50	1324	msiexec.exe
51	1324	msiexec.exe
52	1324	msiexec.exe
53	1324	msiexec.exe
54	1324	msiexec.exe
55	1324	msiexec.exe
56	1324	msiexec.exe
57	1324	msiexec.exe
58	1324	msiexec.exe
59	1324	msiexec.exe
60	1324	msiexec.exe
61	1324	msiexec.exe
62	1324	msiexec.exe
63	1324	msiexec.exe
64	1324	msiexec.exe
65	1324	msiexec.exe
67	1324	msiexec.exe
68	1324	msiexec.exe
69	1324	msiexec.exe
71	1324	msiexec.exe
72	1324	msiexec.exe
75	1324	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1604 set thread context of 1324 1604 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1324 msiexec.exe
Token: SeSecurityPrivilege 1324 msiexec.exe

description	pid	process	target process
PID 1604 set thread context of 1324	1604	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1324	msiexec.exe
Token: SeSecurityPrivilege	1324	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 956 wrote to memory of 1604	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1604	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1604	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1604	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1604	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1604	956	rundll32.exe	rundll32.exe
PID 956 wrote to memory of 1604	956	rundll32.exe	rundll32.exe
PID 1604 wrote to memory of 1324	1604	rundll32.exe	msiexec.exe
PID 1604 wrote to memory of 1324	1604	rundll32.exe	msiexec.exe
PID 1604 wrote to memory of 1324	1604	rundll32.exe	msiexec.exe
PID 1604 wrote to memory of 1324	1604	rundll32.exe	msiexec.exe
PID 1604 wrote to memory of 1324	1604	rundll32.exe	msiexec.exe
PID 1604 wrote to memory of 1324	1604	rundll32.exe	msiexec.exe
PID 1604 wrote to memory of 1324	1604	rundll32.exe	msiexec.exe
PID 1604 wrote to memory of 1324	1604	rundll32.exe	msiexec.exe
PID 1604 wrote to memory of 1324	1604	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-59-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1324-61-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1324-63-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1324-65-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1604-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1604-56-0x0000000010000000-0x0000000010094000-memory.dmp

Filesize
592KB

Download
memory/1604-55-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/1604-57-0x0000000010000000-0x0000000010094000-memory.dmp

Filesize
592KB

Download
memory/1604-58-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing