Overview

overview

10

Static

static

6ffa4cfa04...2f.dll

windows7_x64

10

6ffa4cfa04...2f.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll

  • Size

    446KB

  • MD5

    a65312552f22156249bac2ddfc8a9811

  • SHA1

    216505bd8e3448436f6fa202e64c0046c3ee4f60

  • SHA256

    6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f

  • SHA512

    12a69f8e3940724ad203352293c6e8e257305fa6dfa04e961d292be3734233c9c934dc7f0781a93b7c4847709e26cb199c2f24673d22dafdf22ce9cf2986fb4b

Score
10/10
zloaderapr17spambotnetsuricatatrojan

Malware Config

Extracted

Family

zloader

Botnet

apr17

Campaign

spam

C2

http://wmwifbajxxbcxmucxmlc.com/post.php

http://ojnxjgfjlftfkkuxxiqd.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php
Attributes
  • build_id

    108

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata
  • suricata: ET MALWARE Zbot POST Request to C2

    suricata: ET MALWARE Zbot POST Request to C2

    suricata
  • Blocklisted process makes network request 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/728-134-0x0000000000000000-mapping.dmp
    Download
  • memory/728-135-0x0000000000510000-0x0000000000544000-memory.dmp
    Filesize

    208KB

    Download
  • memory/728-136-0x0000000000510000-0x0000000000544000-memory.dmp
    Filesize

    208KB

    Download
  • memory/876-130-0x0000000000000000-mapping.dmp
    Download
  • memory/876-132-0x0000000075180000-0x0000000075203000-memory.dmp
    Filesize

    524KB

    Download
  • memory/876-131-0x0000000075180000-0x00000000751B4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/876-133-0x0000000075180000-0x0000000075203000-memory.dmp
    Filesize

    524KB

    Download