zloader | 45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543

General

Target

45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543.dll
Size

485KB
MD5

e4a088773d56d0f6e7d1582f100b5137
SHA1

5cf878a09b2de0b664467b928ad03453e5c1491e
SHA256

45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543
SHA512

eea5d926f100f5ae136e2ea5c71530ff087349ed89aa069b1cc4490ca8bb0432e1013e953de6c56befd660acd673d388aeef3e9db0ced7cbd4dd71ed432f0f6d

Score

10^/10

zloader r1 r1 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

http://bsraotpeiimmrnchcqvr.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://exqnbgauiphxqdeecitw.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://fpbkvirfkfvufpbkvgty.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://hikowojacckxccgglhvy.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://kdrowkrjhrdmbxkthljt.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://nvlmtlisfmcfgimicstx.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://syohvyctqfcgakxepsou.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://wdwrhikolxfwyyhwwfut.com/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes

build_id
17

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1676 created 1296 1676 regsvr32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1676 set thread context of 916 1676 regsvr32.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1676 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

regsvr32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1676 regsvr32.exe
Token: SeSecurityPrivilege 916 msiexec.exe
Token: SeSecurityPrivilege 916 msiexec.exe

description	pid	process	target process
PID 1676 created 1296	1676	regsvr32.exe	Explorer.EXE

description	pid	process	target process
PID 1676 set thread context of 916	1676	regsvr32.exe	msiexec.exe

pid	process
1676	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	1676	regsvr32.exe
Token: SeSecurityPrivilege	916	msiexec.exe
Token: SeSecurityPrivilege	916	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 1676	1304	regsvr32.exe	regsvr32.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe
PID 1676 wrote to memory of 916	1676	regsvr32.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543.dll
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-60-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/916-62-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/916-63-0x0000000000000000-mapping.dmp

Download
memory/916-65-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1304-54-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/1676-55-0x0000000000000000-mapping.dmp

Download
memory/1676-56-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1676-57-0x0000000074970000-0x000000007499D000-memory.dmp

Filesize
180KB

Download
memory/1676-58-0x0000000074970000-0x00000000749FB000-memory.dmp

Filesize
556KB

Download
memory/1676-59-0x0000000074970000-0x00000000749FB000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing