General
Target

45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543.dll

Filesize

485KB

Completed

20-05-2022 23:54

Task

behavioral2

Score
10/10
MD5

e4a088773d56d0f6e7d1582f100b5137

SHA1

5cf878a09b2de0b664467b928ad03453e5c1491e

SHA256

45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543

SHA512

eea5d926f100f5ae136e2ea5c71530ff087349ed89aa069b1cc4490ca8bb0432e1013e953de6c56befd660acd673d388aeef3e9db0ced7cbd4dd71ed432f0f6d

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

http://bsraotpeiimmrnchcqvr.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://exqnbgauiphxqdeecitw.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://fpbkvirfkfvufpbkvgty.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://hikowojacckxccgglhvy.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://kdrowkrjhrdmbxkthljt.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://nvlmtlisfmcfgimicstx.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://syohvyctqfcgakxepsou.com/LKhwojehDgwegSDG/gateJKjdsh.php

http://wdwrhikolxfwyyhwwfut.com/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes
build_id
17
rc4.plain
rsa_pubkey.plain
Signatures 2

Filter: none

  • Zloader, Terdot, DELoader, ZeusSphinx

    Description

    Zloader is a malware strain that was initially discovered back in August 2015.

  • Suspicious use of WriteProcessMemory
    regsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4744 wrote to memory of 7884744regsvr32.exeregsvr32.exe
    PID 4744 wrote to memory of 7884744regsvr32.exeregsvr32.exe
    PID 4744 wrote to memory of 7884744regsvr32.exeregsvr32.exe
Processes 2
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543.dll
    Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\45f3f5d22895889574eb220c91242129153c6d85374d08665348c3bbe3414543.dll
      PID:788
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/788-133-0x0000000000000000-mapping.dmp

                          • memory/788-135-0x0000000074990000-0x0000000074A1B000-memory.dmp

                          • memory/788-134-0x0000000074990000-0x00000000749BD000-memory.dmp

                          • memory/788-136-0x0000000074990000-0x0000000074A1B000-memory.dmp