zloader | 6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f

General

Target

6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll
Size

446KB
MD5

a65312552f22156249bac2ddfc8a9811
SHA1

216505bd8e3448436f6fa202e64c0046c3ee4f60
SHA256

6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f
SHA512

12a69f8e3940724ad203352293c6e8e257305fa6dfa04e961d292be3734233c9c934dc7f0781a93b7c4847709e26cb199c2f24673d22dafdf22ce9cf2986fb4b

Score

10^/10

zloader apr17 spam botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

apr17

Campaign

spam

C2

http://wmwifbajxxbcxmucxmlc.com/post.php

http://ojnxjgfjlftfkkuxxiqd.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

Attributes

build_id
108

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

5 1172 msiexec.exe
7 1172 msiexec.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 996 set thread context of 1172 996 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1172 msiexec.exe
Token: SeSecurityPrivilege 1172 msiexec.exe

flow	pid	process
5	1172	msiexec.exe
7	1172	msiexec.exe

description	pid	process	target process
PID 996 set thread context of 1172	996	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1172	msiexec.exe
Token: SeSecurityPrivilege	1172	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 296 wrote to memory of 996	296	rundll32.exe	rundll32.exe
PID 296 wrote to memory of 996	296	rundll32.exe	rundll32.exe
PID 296 wrote to memory of 996	296	rundll32.exe	rundll32.exe
PID 296 wrote to memory of 996	296	rundll32.exe	rundll32.exe
PID 296 wrote to memory of 996	296	rundll32.exe	rundll32.exe
PID 296 wrote to memory of 996	296	rundll32.exe	rundll32.exe
PID 296 wrote to memory of 996	296	rundll32.exe	rundll32.exe
PID 996 wrote to memory of 1172	996	rundll32.exe	msiexec.exe
PID 996 wrote to memory of 1172	996	rundll32.exe	msiexec.exe
PID 996 wrote to memory of 1172	996	rundll32.exe	msiexec.exe
PID 996 wrote to memory of 1172	996	rundll32.exe	msiexec.exe
PID 996 wrote to memory of 1172	996	rundll32.exe	msiexec.exe
PID 996 wrote to memory of 1172	996	rundll32.exe	msiexec.exe
PID 996 wrote to memory of 1172	996	rundll32.exe	msiexec.exe
PID 996 wrote to memory of 1172	996	rundll32.exe	msiexec.exe
PID 996 wrote to memory of 1172	996	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:296
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-54-0x0000000000000000-mapping.dmp

Download
memory/996-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/996-57-0x0000000075500000-0x0000000075583000-memory.dmp

Filesize
524KB

Download
memory/996-56-0x0000000075500000-0x0000000075534000-memory.dmp

Filesize
208KB

Download
memory/996-58-0x0000000075500000-0x0000000075583000-memory.dmp

Filesize
524KB

Download
memory/1172-59-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/1172-61-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/1172-62-0x0000000000000000-mapping.dmp

Download
memory/1172-64-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing