Malware Analysis Report

2024-10-18 22:53

Sample ID 220503-zssxsafbhm
Target 2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249
SHA256 2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249
Tags
zloader divader poll botnet trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249

Threat Level: Known bad

The file 2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249 was found to be: Known bad.

Malicious Activity Summary

zloader divader poll botnet trojan

Zloader, Terdot, DELoader, ZeusSphinx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-03 20:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-03 20:59

Reported

2022-05-03 21:03

Platform

win7-20220414-en

Max time kernel

26s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249.dll,#1

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1944 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1944 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1944 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1944 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1944 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1944 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249.dll,#1

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fqnceas.su udp
US 20.114.17.1:443 fqnceas.su tcp
US 8.8.8.8:53 fqlocpeas.ru udp
US 20.114.17.1:443 fqlocpeas.ru tcp
US 8.8.8.8:53 dksaiijn.ru udp
US 20.114.17.1:443 dksaiijn.ru tcp
US 8.8.8.8:53 dksafjasnf.su udp
US 20.114.17.1:443 dksafjasnf.su tcp
US 8.8.8.8:53 fjsafasfsa.ru udp
US 20.114.17.1:443 fjsafasfsa.ru tcp
US 8.8.8.8:53 fjskoijafsa.ru udp
US 8.8.8.8:53 kochamkkkras.ru udp
US 52.160.149.86:443 kochamkkkras.ru tcp

Files

memory/1676-54-0x0000000000000000-mapping.dmp

memory/1676-55-0x0000000076171000-0x0000000076173000-memory.dmp

memory/1676-56-0x00000000003C0000-0x000000000040B000-memory.dmp

memory/1676-57-0x0000000000230000-0x0000000000256000-memory.dmp

memory/1636-58-0x0000000000090000-0x00000000000B6000-memory.dmp

memory/1636-60-0x0000000000090000-0x00000000000B6000-memory.dmp

memory/1636-61-0x0000000000000000-mapping.dmp

memory/1636-63-0x0000000000090000-0x00000000000B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-03 20:59

Reported

2022-05-03 21:03

Platform

win10v2004-20220414-en

Max time kernel

111s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249.dll,#1

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4684 wrote to memory of 3940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4684 wrote to memory of 3940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4684 wrote to memory of 3940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d16dbdbbf095cf07cbb0ca6f52b805fbf017b0c17adddcc97501af0744a2249.dll,#1

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp
US 20.189.173.11:443 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 fqnceas.su udp
US 20.114.17.1:443 fqnceas.su tcp
US 8.8.8.8:53 fqlocpeas.ru udp
US 20.114.17.1:443 fqlocpeas.ru tcp

Files

memory/3940-131-0x0000000000000000-mapping.dmp

memory/3940-132-0x0000000002550000-0x000000000259B000-memory.dmp

memory/3940-133-0x0000000002620000-0x0000000002646000-memory.dmp

memory/4976-134-0x0000000000000000-mapping.dmp

memory/4976-135-0x00000000008E0000-0x0000000000906000-memory.dmp

memory/4976-136-0x00000000008E0000-0x0000000000906000-memory.dmp