Malware Analysis Report

2024-10-18 22:54

Sample ID 220520-ee3vlsbdap
Target 6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f
SHA256 6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f
Tags
zloader apr17 spam botnet trojan suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f

Threat Level: Known bad

The file 6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f was found to be: Known bad.

Malicious Activity Summary

zloader apr17 spam botnet trojan suricata

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

suricata: ET MALWARE Zbot POST Request to C2

Zloader, Terdot, DELoader, ZeusSphinx

Blocklisted process makes network request

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-20 03:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 03:52

Reported

2022-05-20 04:07

Platform

win7-20220414-en

Max time kernel

184s

Max time network

191s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 996 set thread context of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 296 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 296 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 296 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 296 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 296 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 296 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 296 wrote to memory of 996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 996 wrote to memory of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 996 wrote to memory of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 996 wrote to memory of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 996 wrote to memory of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 996 wrote to memory of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 996 wrote to memory of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 996 wrote to memory of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 996 wrote to memory of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 996 wrote to memory of 1172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 wmwifbajxxbcxmucxmlc.com udp
US 13.87.185.199:80 wmwifbajxxbcxmucxmlc.com tcp
US 8.8.8.8:53 ojnxjgfjlftfkkuxxiqd.com udp
US 20.114.17.1:80 ojnxjgfjlftfkkuxxiqd.com tcp

Files

memory/996-54-0x0000000000000000-mapping.dmp

memory/996-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

memory/996-57-0x0000000075500000-0x0000000075583000-memory.dmp

memory/996-56-0x0000000075500000-0x0000000075534000-memory.dmp

memory/996-58-0x0000000075500000-0x0000000075583000-memory.dmp

memory/1172-59-0x0000000000090000-0x00000000000C4000-memory.dmp

memory/1172-61-0x0000000000090000-0x00000000000C4000-memory.dmp

memory/1172-62-0x0000000000000000-mapping.dmp

memory/1172-64-0x0000000000090000-0x00000000000C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 03:52

Reported

2022-05-20 04:07

Platform

win10v2004-20220414-en

Max time kernel

140s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

suricata

suricata: ET MALWARE Zbot POST Request to C2

suricata

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 876 set thread context of 728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 20.189.173.6:443 tcp
CH 173.222.108.226:80 tcp
US 204.79.197.203:80 tcp
NL 104.97.14.80:80 tcp
US 8.8.8.8:53 wmwifbajxxbcxmucxmlc.com udp
US 13.87.185.199:80 wmwifbajxxbcxmucxmlc.com tcp
US 8.8.8.8:53 ojnxjgfjlftfkkuxxiqd.com udp
US 20.114.17.1:80 ojnxjgfjlftfkkuxxiqd.com tcp
US 8.8.8.8:53 pwkqhdgytsshkoibaake.com udp
US 206.191.152.37:80 pwkqhdgytsshkoibaake.com tcp
US 8.8.8.8:53 snnmnkxdhflwgthqismb.com udp
US 199.21.76.77:80 snnmnkxdhflwgthqismb.com tcp
US 8.8.8.8:53 iawfqecrwohcxnhwtofa.com udp
US 206.191.152.58:80 iawfqecrwohcxnhwtofa.com tcp
US 8.8.8.8:53 nlbmfsyplohyaicmxhum.com udp
US 206.191.152.37:80 nlbmfsyplohyaicmxhum.com tcp
US 8.8.8.8:53 fvqlkgedqjiqgapudkgq.com udp
US 199.21.76.77:80 fvqlkgedqjiqgapudkgq.com tcp
US 8.8.8.8:53 cmmxhurildiigqghlryq.com udp
SG 63.251.126.10:80 cmmxhurildiigqghlryq.com tcp
US 8.8.8.8:53 nmqsmbiabjdnuushksas.com udp
US 199.21.76.81:80 nmqsmbiabjdnuushksas.com tcp
US 8.8.8.8:53 fyratyubvflktyyjiqgq.com udp
US 107.6.74.76:80 fyratyubvflktyyjiqgq.com tcp
US 107.6.74.76:80 fyratyubvflktyyjiqgq.com tcp

Files

memory/876-130-0x0000000000000000-mapping.dmp

memory/876-132-0x0000000075180000-0x0000000075203000-memory.dmp

memory/876-131-0x0000000075180000-0x00000000751B4000-memory.dmp

memory/876-133-0x0000000075180000-0x0000000075203000-memory.dmp

memory/728-134-0x0000000000000000-mapping.dmp

memory/728-135-0x0000000000510000-0x0000000000544000-memory.dmp

memory/728-136-0x0000000000510000-0x0000000000544000-memory.dmp