Analysis
-
max time kernel
134s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:37
General
-
Target
dbeba2fb33aaba42768a5ed8055cc8ca4009ad1921319f90c78b78d4f0dd9f7b.dll
-
Size
489KB
-
MD5
8c293fe05b3af514723a1639810c06a3
-
SHA1
ac2f7668c7f3049930b52a83585ac479145cd059
-
SHA256
dbeba2fb33aaba42768a5ed8055cc8ca4009ad1921319f90c78b78d4f0dd9f7b
-
SHA512
2f8db26e93c54b08944a4080e55595f348090086f849fe427f6f07b17a8a57926b1e0d6481356feb0846af0c01ffbb06122750974d3f80e2ea3c465aab1acc23
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
Attributes
-
build_id
15
rc4.plain
rsa_pubkey.plain
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbeba2fb33aaba42768a5ed8055cc8ca4009ad1921319f90c78b78d4f0dd9f7b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbeba2fb33aaba42768a5ed8055cc8ca4009ad1921319f90c78b78d4f0dd9f7b.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
512KB
-
Filesize
512KB