zloader | 6348bded936831629494c1d820fe8e3dbe3fb4d9f96940bbb4ca0c1872bef0ad

Resubmissions

14-04-2022 02:16

220414-cp91kagbem 10

04-10-2021 22:37

211004-2jzp3shcgp 10

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
14-04-2022 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.dll
Size

444KB
MD5

c6b350b0d6f8dc37c144f76a57c9dbe7
SHA1

e637d8a29d46281a5fa97d84af1dfe1d72223157
SHA256

6348bded936831629494c1d820fe8e3dbe3fb4d9f96940bbb4ca0c1872bef0ad
SHA512

5220ff154b731a8a1d1e768552fee037cacb12412eff931384c105d4caa5483da64c11b4839ab44885214d4d8831b280687b54b2438f89a230fce68bf7692dff

Score

10^/10

zloader 26/03 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

26/03

https://vfgthujbxd.xyz/milagrecf.php

https://todiks.xyz/milagrecf.php

Attributes

build_id
108

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Waivula = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Adqii\\xoer.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 4396	4796	rundll32.exe	91

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4396	msiexec.exe
Token: SeSecurityPrivilege	4396	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4796	1980	rundll32.exe	80
PID 1980 wrote to memory of 4796	1980	rundll32.exe	80
PID 1980 wrote to memory of 4796	1980	rundll32.exe	80
PID 4796 wrote to memory of 4396	4796	rundll32.exe	91
PID 4796 wrote to memory of 4396	4796	rundll32.exe	91
PID 4796 wrote to memory of 4396	4796	rundll32.exe	91
PID 4796 wrote to memory of 4396	4796	rundll32.exe	91
PID 4796 wrote to memory of 4396	4796	rundll32.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4396-139-0x0000000000500000-0x000000000052E000-memory.dmp

Filesize
184KB

Download
memory/4396-140-0x0000000000500000-0x000000000052E000-memory.dmp

Filesize
184KB

Download
memory/4796-135-0x00000000753F0000-0x000000007541E000-memory.dmp

Filesize
184KB

Download
memory/4796-136-0x00000000753F0000-0x0000000075475000-memory.dmp

Filesize
532KB

Download
memory/4796-137-0x00000000753F0000-0x0000000075475000-memory.dmp

Filesize
532KB

Download