zloader | a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19/03/2022, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll
Size

520KB
MD5

2db23f40f56413146f1c2b1d445cbcf5
SHA1

d562a4950987411676f6ef2486d9fa3525fcc39a
SHA256

a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b
SHA512

2d0ed0c47252a5588579aa79cfa5654f3c954ccf11362c7a490380c04d6365ab3f35d577d417cb5445811419afb7491a2982494047f2676692e5ae3c57756b76

Score

10^/10

zloader nut 11/12 botnet suricata trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

11/12

https://www.businessinsurancelaw.com/wp-punch.php

https://squire.ae/wp-punch.php

https://lamun.pk/wp-punch.php

https://www.rcclabbd.com/wp-punch.php

https://thecype.com/wp-punch.php

https://theterteboltallbrow.tk/wp-smarts.php

Attributes

build_id
286

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
suricata

Blocklisted process makes network request 22 IoCs

flow	pid	Process
17	5092	msiexec.exe
18	5092	msiexec.exe
19	5092	msiexec.exe
20	5092	msiexec.exe
25	5092	msiexec.exe
27	5092	msiexec.exe
41	5092	msiexec.exe
42	5092	msiexec.exe
50	5092	msiexec.exe
51	5092	msiexec.exe
57	5092	msiexec.exe
58	5092	msiexec.exe
60	5092	msiexec.exe
61	5092	msiexec.exe
62	5092	msiexec.exe
63	5092	msiexec.exe
64	5092	msiexec.exe
65	5092	msiexec.exe
67	5092	msiexec.exe
68	5092	msiexec.exe
72	5092	msiexec.exe
76	5092	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4884 set thread context of 5092	4884	rundll32.exe	83

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5092	msiexec.exe
Token: SeSecurityPrivilege	5092	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 4884	4476	rundll32.exe	80
PID 4476 wrote to memory of 4884	4476	rundll32.exe	80
PID 4476 wrote to memory of 4884	4476	rundll32.exe	80
PID 4884 wrote to memory of 5092	4884	rundll32.exe	83
PID 4884 wrote to memory of 5092	4884	rundll32.exe	83
PID 4884 wrote to memory of 5092	4884	rundll32.exe	83
PID 4884 wrote to memory of 5092	4884	rundll32.exe	83
PID 4884 wrote to memory of 5092	4884	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:5092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4884-133-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4884-134-0x0000000010000000-0x0000000010094000-memory.dmp

Filesize
592KB

Download
memory/4884-135-0x0000000010000000-0x0000000010094000-memory.dmp

Filesize
592KB

Download
memory/4884-136-0x0000000001E50000-0x0000000001EDD000-memory.dmp

Filesize
564KB

Download
memory/5092-137-0x0000000000F50000-0x0000000000F76000-memory.dmp

Filesize
152KB

Download
memory/5092-138-0x0000000000F50000-0x0000000000F76000-memory.dmp

Filesize
152KB

Download