zloader | acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07

Analysis

max time kernel
148s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-03-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07.dll
Size

520KB
MD5

0ffead3ef4030a202a8e55ce6efd1aba
SHA1

8642810c98e1f84a9ee3dc69d3b1ff2672bb8f25
SHA256

acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07
SHA512

1dc3a5773ceb4f53dee9105e6074c5d3c0fab6ca21c917949b6a2d6845f002650d4537d1275d07191cde79b8920df9c95e92fd4f915c5a109075e982a4132019

Score

10^/10

zloader nut 11/12 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

11/12

https://www.businessinsurancelaw.com/wp-punch.php

https://squire.ae/wp-punch.php

https://lamun.pk/wp-punch.php

https://www.rcclabbd.com/wp-punch.php

https://thecype.com/wp-punch.php

https://theterteboltallbrow.tk/wp-smarts.php

Attributes

build_id
286

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 21 IoCs

Processes:

msiexec.exe

flow	pid	process
47	4156	msiexec.exe
49	4156	msiexec.exe
50	4156	msiexec.exe
51	4156	msiexec.exe
52	4156	msiexec.exe
53	4156	msiexec.exe
58	4156	msiexec.exe
59	4156	msiexec.exe
60	4156	msiexec.exe
61	4156	msiexec.exe
63	4156	msiexec.exe
64	4156	msiexec.exe
66	4156	msiexec.exe
67	4156	msiexec.exe
68	4156	msiexec.exe
69	4156	msiexec.exe
75	4156	msiexec.exe
76	4156	msiexec.exe
78	4156	msiexec.exe
82	4156	msiexec.exe
86	4156	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4628 set thread context of 4156 4628 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 4156 msiexec.exe
Token: SeSecurityPrivilege 4156 msiexec.exe

description	pid	process	target process
PID 4628 set thread context of 4156	4628	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	4156	msiexec.exe
Token: SeSecurityPrivilege	4156	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4640 wrote to memory of 4628	4640	rundll32.exe	rundll32.exe
PID 4640 wrote to memory of 4628	4640	rundll32.exe	rundll32.exe
PID 4640 wrote to memory of 4628	4640	rundll32.exe	rundll32.exe
PID 4628 wrote to memory of 4156	4628	rundll32.exe	msiexec.exe
PID 4628 wrote to memory of 4156	4628	rundll32.exe	msiexec.exe
PID 4628 wrote to memory of 4156	4628	rundll32.exe	msiexec.exe
PID 4628 wrote to memory of 4156	4628	rundll32.exe	msiexec.exe
PID 4628 wrote to memory of 4156	4628	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\acc23d61641e44bd6ee2a4e2080aa8841856efdbc11b4be75ffdf721f757cf07.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:4156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4156-134-0x0000000000B80000-0x0000000000BA6000-memory.dmp

Filesize
152KB

Download
memory/4156-135-0x0000000000B80000-0x0000000000BA6000-memory.dmp

Filesize
152KB

Download
memory/4628-131-0x0000000010000000-0x0000000010094000-memory.dmp

Filesize
592KB

Download
memory/4628-130-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4628-132-0x0000000010000000-0x0000000010094000-memory.dmp

Filesize
592KB

Download
memory/4628-133-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download