zloader | e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed

General

Target

e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe
Size

169KB
MD5

900db9b536bab558fef69814e4b9e527
SHA1

06ee45efd3d0276f79acec03dfd153ac75902a19
SHA256

e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed
SHA512

3d722dd1d901e3c5881f94e86c754f7af8fa37af2a867e2b1947a3caed106def13ac9d33cb1f70577558322b1b868621647c7199c286d1eaf0ed8be5a8ddbac2

Score

10^/10

zloader canadaloads nerino botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

CanadaLoads

Campaign

Nerino

C2

https://telsspelsa2.com/bFnF0y1r/7QKpXmV3Pz.php

https://redditmyways.com/bFnF0y1r/7QKpXmV3Pz.php

https://rrspmlsd1.com/bFnF0y1r/7QKpXmV3Pz.php

https://reservationsffrec.com/bFnF0y1r/7QKpXmV3Pz.php

https://tempmailsin112.com/bFnF0y1r/7QKpXmV3Pz.php

https://roadonroadonroad.com/bFnF0y1r/7QKpXmV3Pz.php

https://roadtocaliss.com/bFnF0y1r/7QKpXmV3Pz.php

https://referrer222.com/bFnF0y1r/7QKpXmV3Pz.php

https://makeitrainfordee.com/bFnF0y1r/7QKpXmV3Pz.php

https://makeitrainforffeer.com/bFnF0y1r/7QKpXmV3Pz.php

Attributes

build_id
64

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ykwehix = "C:\\Users\\Admin\\AppData\\Roaming\\Cuym\\gidoomug.exe"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1528 set thread context of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	912	msiexec.exe
Token: SeSecurityPrivilege	912	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27
PID 1528 wrote to memory of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27
PID 1528 wrote to memory of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27
PID 1528 wrote to memory of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27
PID 1528 wrote to memory of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27
PID 1528 wrote to memory of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27
PID 1528 wrote to memory of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27
PID 1528 wrote to memory of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27
PID 1528 wrote to memory of 912	1528	e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe	27

C:\Users\Admin\AppData\Local\Temp\e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe
"C:\Users\Admin\AppData\Local\Temp\e57034ed17a79c4198e23e87bc0100cc3513238d6f9b1e0889522c63800f44ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-57-0x00000000000D0000-0x00000000000FB000-memory.dmp

Filesize
172KB

Download
memory/912-59-0x00000000000D0000-0x00000000000FB000-memory.dmp

Filesize
172KB

Download
memory/912-61-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/912-62-0x00000000000D0000-0x00000000000FB000-memory.dmp

Filesize
172KB

Download
memory/1528-54-0x000000000101B000-0x0000000001035000-memory.dmp

Filesize
104KB

Download
memory/1528-55-0x00000000002A0000-0x00000000002C8000-memory.dmp

Filesize
160KB

Download
memory/1528-56-0x0000000000400000-0x0000000000F87000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing