Malware Analysis Report

2024-10-18 22:53

Sample ID 220503-zsncascef8
Target 2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3
SHA256 2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3
Tags
zloader divader poll botnet trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3

Threat Level: Known bad

The file 2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3 was found to be: Known bad.

Malicious Activity Summary

zloader divader poll botnet trojan

Zloader, Terdot, DELoader, ZeusSphinx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-03 20:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-03 20:58

Reported

2022-05-03 21:04

Platform

win7-20220414-en

Max time kernel

49s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3.dll,#1

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3.dll,#1

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fqnceas.su udp
US 20.114.17.1:443 fqnceas.su tcp
US 8.8.8.8:53 fqlocpeas.ru udp
US 20.114.17.1:443 fqlocpeas.ru tcp
US 8.8.8.8:53 dksaiijn.ru udp
US 20.114.17.1:443 dksaiijn.ru tcp
US 8.8.8.8:53 dksafjasnf.su udp
US 20.114.17.1:443 dksafjasnf.su tcp
US 8.8.8.8:53 fjsafasfsa.ru udp
US 20.114.17.1:443 fjsafasfsa.ru tcp
US 8.8.8.8:53 fjskoijafsa.ru udp

Files

memory/1100-54-0x0000000000000000-mapping.dmp

memory/1100-55-0x0000000075381000-0x0000000075383000-memory.dmp

memory/1100-56-0x0000000000220000-0x000000000026B000-memory.dmp

memory/1100-57-0x0000000000600000-0x0000000000626000-memory.dmp

memory/936-58-0x0000000000090000-0x00000000000B6000-memory.dmp

memory/936-60-0x0000000000090000-0x00000000000B6000-memory.dmp

memory/936-61-0x0000000000000000-mapping.dmp

memory/936-63-0x0000000000090000-0x00000000000B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-03 20:58

Reported

2022-05-03 21:04

Platform

win10v2004-20220414-en

Max time kernel

62s

Max time network

164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3.dll,#1

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f96c155ca7d4984430d0aa0af64689d761e875ccb35dd9d88fb95c48dae1db3.dll,#1

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
GB 51.104.15.253:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.253.183.120:80 tcp
US 8.253.183.120:80 tcp
US 8.8.8.8:53 fqnceas.su udp
US 20.114.17.1:443 fqnceas.su tcp
US 8.8.8.8:53 fqlocpeas.ru udp
US 20.114.17.1:443 fqlocpeas.ru tcp
US 8.8.8.8:53 dksaiijn.ru udp
US 20.114.17.1:443 dksaiijn.ru tcp
US 8.8.8.8:53 dksafjasnf.su udp
US 20.114.17.1:443 dksafjasnf.su tcp
US 8.8.8.8:53 fjsafasfsa.ru udp
US 20.114.17.1:443 fjsafasfsa.ru tcp
US 8.8.8.8:53 fjskoijafsa.ru udp
US 8.8.8.8:53 fjskoijafsa.ru udp
US 8.8.8.8:53 fjskoijafsa.ru udp
US 8.8.8.8:53 kochamkkkras.ru udp
US 52.160.149.86:443 kochamkkkras.ru tcp
US 52.160.149.86:443 kochamkkkras.ru tcp

Files

memory/740-130-0x0000000000000000-mapping.dmp

memory/740-131-0x0000000001280000-0x00000000012CB000-memory.dmp

memory/740-132-0x0000000002B20000-0x0000000002B46000-memory.dmp

memory/4696-133-0x0000000000000000-mapping.dmp

memory/4696-134-0x0000000000760000-0x0000000000786000-memory.dmp

memory/4696-135-0x0000000000760000-0x0000000000786000-memory.dmp