Overview

overview

10

Static

static

74c8670a82...33.exe

windows7_x64

10

74c8670a82...33.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 06:57

Sharing

Copy URL
Twitter E-mail

General

  • Target

    74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533.exe

  • Size

    194KB

  • MD5

    09874cbb134851ff3b971960916ce5bb

  • SHA1

    42d32698f9513024f024eb6d1efcd9532ac1f622

  • SHA256

    74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533

  • SHA512

    502189cc108e8c8034d957a9b6b32c29731f9a4d0811ffd147ab3ff516144521c77234c1d114694b070965c4300f36410b607828cb961c56649e04cdd697ee05

Score
10/10
zloaderr1r1botnetsuricatatrojan

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes
  • build_id

    125

rc4.plain
rsa_pubkey.plain

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • suricata: ET MALWARE Zbot POST Request to C2

    suricata: ET MALWARE Zbot POST Request to C2

    suricata
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    PID:2636
    • C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533.exe
      "C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533.exe"
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 376
        Program crash
        PID:3208
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      Blocklisted process makes network request
      Suspicious use of AdjustPrivilegeToken
      PID:2100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3556 -ip 3556
    PID:3116

Network

MITRE ATT&CK Matrix

Replay Monitor

00:00 00:00

Downloads

  • memory/2100-133-0x0000000000000000-mapping.dmp
    Download
  • memory/2100-134-0x0000000000430000-0x0000000000458000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2100-135-0x0000000000430000-0x0000000000458000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3556-130-0x0000000000A28000-0x0000000000A41000-memory.dmp
    Filesize

    100KB

    Download
  • memory/3556-131-0x00000000024C0000-0x00000000024E5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/3556-132-0x0000000000400000-0x00000000008CE000-memory.dmp
    Filesize

    4MB

    Download