zloader | a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b

General

Target

a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll
Size

520KB
MD5

2db23f40f56413146f1c2b1d445cbcf5
SHA1

d562a4950987411676f6ef2486d9fa3525fcc39a
SHA256

a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b
SHA512

2d0ed0c47252a5588579aa79cfa5654f3c954ccf11362c7a490380c04d6365ab3f35d577d417cb5445811419afb7491a2982494047f2676692e5ae3c57756b76

Score

10^/10

zloader nut 11/12 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

11/12

C2

https://www.businessinsurancelaw.com/wp-punch.php

https://squire.ae/wp-punch.php

https://lamun.pk/wp-punch.php

https://www.rcclabbd.com/wp-punch.php

https://thecype.com/wp-punch.php

https://theterteboltallbrow.tk/wp-smarts.php

Attributes

build_id
286

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 56 IoCs

Processes:

msiexec.exe

flow	pid	process
5	1760	msiexec.exe
7	1760	msiexec.exe
8	1760	msiexec.exe
9	1760	msiexec.exe
10	1760	msiexec.exe
11	1760	msiexec.exe
12	1760	msiexec.exe
20	1760	msiexec.exe
21	1760	msiexec.exe
22	1760	msiexec.exe
23	1760	msiexec.exe
24	1760	msiexec.exe
25	1760	msiexec.exe
26	1760	msiexec.exe
27	1760	msiexec.exe
28	1760	msiexec.exe
29	1760	msiexec.exe
30	1760	msiexec.exe
31	1760	msiexec.exe
32	1760	msiexec.exe
33	1760	msiexec.exe
34	1760	msiexec.exe
35	1760	msiexec.exe
36	1760	msiexec.exe
37	1760	msiexec.exe
38	1760	msiexec.exe
39	1760	msiexec.exe
40	1760	msiexec.exe
41	1760	msiexec.exe
42	1760	msiexec.exe
43	1760	msiexec.exe
45	1760	msiexec.exe
46	1760	msiexec.exe
47	1760	msiexec.exe
48	1760	msiexec.exe
49	1760	msiexec.exe
50	1760	msiexec.exe
51	1760	msiexec.exe
52	1760	msiexec.exe
53	1760	msiexec.exe
54	1760	msiexec.exe
55	1760	msiexec.exe
56	1760	msiexec.exe
57	1760	msiexec.exe
58	1760	msiexec.exe
59	1760	msiexec.exe
60	1760	msiexec.exe
61	1760	msiexec.exe
62	1760	msiexec.exe
63	1760	msiexec.exe
64	1760	msiexec.exe
65	1760	msiexec.exe
67	1760	msiexec.exe
68	1760	msiexec.exe
69	1760	msiexec.exe
71	1760	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1532 set thread context of 1760 1532 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1760 msiexec.exe
Token: SeSecurityPrivilege 1760 msiexec.exe

description	pid	process	target process
PID 1532 set thread context of 1760	1532	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1760	msiexec.exe
Token: SeSecurityPrivilege	1760	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1464 wrote to memory of 1532	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1532	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1532	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1532	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1532	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1532	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1532	1464	rundll32.exe	rundll32.exe
PID 1532 wrote to memory of 1760	1532	rundll32.exe	msiexec.exe
PID 1532 wrote to memory of 1760	1532	rundll32.exe	msiexec.exe
PID 1532 wrote to memory of 1760	1532	rundll32.exe	msiexec.exe
PID 1532 wrote to memory of 1760	1532	rundll32.exe	msiexec.exe
PID 1532 wrote to memory of 1760	1532	rundll32.exe	msiexec.exe
PID 1532 wrote to memory of 1760	1532	rundll32.exe	msiexec.exe
PID 1532 wrote to memory of 1760	1532	rundll32.exe	msiexec.exe
PID 1532 wrote to memory of 1760	1532	rundll32.exe	msiexec.exe
PID 1532 wrote to memory of 1760	1532	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-54-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/1532-56-0x0000000010000000-0x0000000010094000-memory.dmp

Filesize
592KB

Download
memory/1532-55-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/1532-57-0x0000000010000000-0x0000000010094000-memory.dmp

Filesize
592KB

Download
memory/1532-58-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1760-59-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1760-61-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1760-63-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1760-65-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing