zloader | 3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311

Analysis

max time kernel
203s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
27-03-2022 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311.dll
Size

344KB
MD5

73c2ec9424087728255ee5d4aa2bed02
SHA1

45dd591d72572ded756b5e7cec54489208874ef4
SHA256

3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311
SHA512

c9b6b3e550520ec44a937c0c9728613b3baaea41c7e806c62798b62eeb836b27a02b492bbf9c01798ad7b46429aa817cd25f02a1dc569e47471496cd85e40b40

Score

10^/10

zloader vek 25/11 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

vek

Campaign

25/11

https://notaryjean.com/wp-smarts.php

https://www.transcendereconsultancy.com/wp-smarts.php

https://descopera-romania.com/wp-smarts.php

https://hopeandfuture.org/wp-smarts.php

https://saptezile.com/wp-smarts.php

https://tifortgebinvo.tk/wp-smarts.php

Attributes

build_id
250

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2392 set thread context of 3336	2392	regsvr32.exe	83

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3336	msiexec.exe
Token: SeSecurityPrivilege	3336	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2392	448	regsvr32.exe	78
PID 448 wrote to memory of 2392	448	regsvr32.exe	78
PID 448 wrote to memory of 2392	448	regsvr32.exe	78
PID 2392 wrote to memory of 3336	2392	regsvr32.exe	83
PID 2392 wrote to memory of 3336	2392	regsvr32.exe	83
PID 2392 wrote to memory of 3336	2392	regsvr32.exe	83
PID 2392 wrote to memory of 3336	2392	regsvr32.exe	83
PID 2392 wrote to memory of 3336	2392	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\3a738adda00a070a9d48413da9a9ae1ef4c83f05be4b3d40edefc632a354d311.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2392-126-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2392-127-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2392-128-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/3336-130-0x0000000000900000-0x0000000000925000-memory.dmp

Filesize
148KB

Download
memory/3336-131-0x0000000000900000-0x0000000000925000-memory.dmp

Filesize
148KB

Download