Overview

overview

10

Static

static

10

648545a9d8...96.dll

windows7_x64

10

648545a9d8...96.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll

  • Size

    156KB

  • MD5

    0e2a67089d12bf0bfb06f54ab52369d6

  • SHA1

    57ff02529e54b54bd4e5d51ccb28eae041163ebf

  • SHA256

    648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296

  • SHA512

    416de0aa9061dbed9e11cdb077f6a81bb45c15ed07e6be1d3df12561e0c47e23daaf4fa1e4d999f22354dac300c3add4300efb2a58b60b935cbab06811b0b357

Score
10/10
zloadernut14/08botnettrojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

14/08

C2

https://girldowcahohorme.tk/wp-parsing.php

http://thegamegolfmagazine.com/wp-parsing.php

http://truvaluconsulting.com/wp-parsing.php

https://blog2.textbookrush.com/wp-parsing.php

https://curiosidadez.com.br/wp-parsing.php

https://nonchothetohear.cf/wp-parsing.php

https://sicupira8.com.br/wp-parsing.php

https://titaniumgamers.com/wp-parsing.php
Attributes
  • build_id

    109

rc4.plain
rsa_pubkey.plain

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 14 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1312
      • C:\Windows\system32\regsvr32.exe
        regsvr32 /s C:\Users\Admin\AppData\Local\Temp\648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Windows\SysWOW64\regsvr32.exe
          /s C:\Users\Admin\AppData\Local\Temp\648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1364
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:1164

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1164-57-0x0000000000090000-0x00000000000BC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1164-59-0x0000000000090000-0x00000000000BC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1164-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1164-62-0x0000000000090000-0x00000000000BC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1256-54-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1364-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1364-56-0x0000000075951000-0x0000000075953000-memory.dmp
      Filesize

      8KB

      Download