zloader | 3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311

Analysis

max time kernel
4294211s
max time network
157s
platform
windows7_x64
resource
win7-20220310-en
submitted
27-03-2022 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311.dll
Size

344KB
MD5

73c2ec9424087728255ee5d4aa2bed02
SHA1

45dd591d72572ded756b5e7cec54489208874ef4
SHA256

3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311
SHA512

c9b6b3e550520ec44a937c0c9728613b3baaea41c7e806c62798b62eeb836b27a02b492bbf9c01798ad7b46429aa817cd25f02a1dc569e47471496cd85e40b40

Score

10^/10

zloader vek 25/11 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

vek

Campaign

25/11

https://notaryjean.com/wp-smarts.php

https://www.transcendereconsultancy.com/wp-smarts.php

https://descopera-romania.com/wp-smarts.php

https://hopeandfuture.org/wp-smarts.php

https://saptezile.com/wp-smarts.php

https://tifortgebinvo.tk/wp-smarts.php

Attributes

build_id
250

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

flow	pid	Process
5	928	msiexec.exe
6	928	msiexec.exe
7	928	msiexec.exe
8	928	msiexec.exe
9	928	msiexec.exe
10	928	msiexec.exe
11	928	msiexec.exe
12	928	msiexec.exe
13	928	msiexec.exe
14	928	msiexec.exe
15	928	msiexec.exe
16	928	msiexec.exe
17	928	msiexec.exe
18	928	msiexec.exe
19	928	msiexec.exe
20	928	msiexec.exe
21	928	msiexec.exe
22	928	msiexec.exe
23	928	msiexec.exe
24	928	msiexec.exe
25	928	msiexec.exe
27	928	msiexec.exe
28	928	msiexec.exe
29	928	msiexec.exe
31	928	msiexec.exe
33	928	msiexec.exe
34	928	msiexec.exe
35	928	msiexec.exe
36	928	msiexec.exe
37	928	msiexec.exe
38	928	msiexec.exe
40	928	msiexec.exe
41	928	msiexec.exe
42	928	msiexec.exe
43	928	msiexec.exe
44	928	msiexec.exe
45	928	msiexec.exe
46	928	msiexec.exe
47	928	msiexec.exe
48	928	msiexec.exe
49	928	msiexec.exe
50	928	msiexec.exe
51	928	msiexec.exe
52	928	msiexec.exe
53	928	msiexec.exe
54	928	msiexec.exe
55	928	msiexec.exe
56	928	msiexec.exe
57	928	msiexec.exe
58	928	msiexec.exe
59	928	msiexec.exe
60	928	msiexec.exe
61	928	msiexec.exe
62	928	msiexec.exe
63	928	msiexec.exe
65	928	msiexec.exe
66	928	msiexec.exe
67	928	msiexec.exe
68	928	msiexec.exe
69	928	msiexec.exe
70	928	msiexec.exe
71	928	msiexec.exe
72	928	msiexec.exe
73	928	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 304 set thread context of 928	304	regsvr32.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	928	msiexec.exe
Token: SeSecurityPrivilege	928	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 304	1744	regsvr32.exe	27
PID 1744 wrote to memory of 304	1744	regsvr32.exe	27
PID 1744 wrote to memory of 304	1744	regsvr32.exe	27
PID 1744 wrote to memory of 304	1744	regsvr32.exe	27
PID 1744 wrote to memory of 304	1744	regsvr32.exe	27
PID 1744 wrote to memory of 304	1744	regsvr32.exe	27
PID 1744 wrote to memory of 304	1744	regsvr32.exe	27
PID 304 wrote to memory of 928	304	regsvr32.exe	30
PID 304 wrote to memory of 928	304	regsvr32.exe	30
PID 304 wrote to memory of 928	304	regsvr32.exe	30
PID 304 wrote to memory of 928	304	regsvr32.exe	30
PID 304 wrote to memory of 928	304	regsvr32.exe	30
PID 304 wrote to memory of 928	304	regsvr32.exe	30
PID 304 wrote to memory of 928	304	regsvr32.exe	30
PID 304 wrote to memory of 928	304	regsvr32.exe	30
PID 304 wrote to memory of 928	304	regsvr32.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-56-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/304-58-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/304-57-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/304-59-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/928-60-0x00000000000D0000-0x00000000000F5000-memory.dmp

Filesize
148KB

Download
memory/928-62-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/928-63-0x00000000000D0000-0x00000000000F5000-memory.dmp

Filesize
148KB

Download
memory/928-66-0x00000000000D0000-0x00000000000F5000-memory.dmp

Filesize
148KB

Download
memory/1744-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download