Overview

overview

10

Static

static

74c8670a82...33.exe

windows7_x64

10

74c8670a82...33.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 06:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533.exe

  • Size

    194KB

  • MD5

    09874cbb134851ff3b971960916ce5bb

  • SHA1

    42d32698f9513024f024eb6d1efcd9532ac1f622

  • SHA256

    74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533

  • SHA512

    502189cc108e8c8034d957a9b6b32c29731f9a4d0811ffd147ab3ff516144521c77234c1d114694b070965c4300f36410b607828cb961c56649e04cdd697ee05

Score
10/10
zloaderr1r1botnetsuricatatrojan

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php
Attributes
  • build_id

    125

rc4.plain
rsa_pubkey.plain

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • suricata: ET MALWARE Zbot POST Request to C2

    suricata: ET MALWARE Zbot POST Request to C2

    suricata
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2636
      • C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533.exe
        "C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 376
          3⤵
          • Program crash
          PID:3208
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:2100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3556 -ip 3556
      1⤵
        PID:3116

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2100-133-0x0000000000000000-mapping.dmp
        Download
      • memory/2100-134-0x0000000000430000-0x0000000000458000-memory.dmp
        Filesize

        160KB

        Download
      • memory/2100-135-0x0000000000430000-0x0000000000458000-memory.dmp
        Filesize

        160KB

        Download
      • memory/3556-130-0x0000000000A28000-0x0000000000A41000-memory.dmp
        Filesize

        100KB

        Download
      • memory/3556-131-0x00000000024C0000-0x00000000024E5000-memory.dmp
        Filesize

        148KB

        Download
      • memory/3556-132-0x0000000000400000-0x00000000008CE000-memory.dmp
        Filesize

        4.8MB

        Download