zloader | 648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296

General

Target

648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll
Size

156KB
MD5

0e2a67089d12bf0bfb06f54ab52369d6
SHA1

57ff02529e54b54bd4e5d51ccb28eae041163ebf
SHA256

648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296
SHA512

416de0aa9061dbed9e11cdb077f6a81bb45c15ed07e6be1d3df12561e0c47e23daaf4fa1e4d999f22354dac300c3add4300efb2a58b60b935cbab06811b0b357

Score

10^/10

zloader nut 14/08 botnet suricata trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

14/08

C2

https://girldowcahohorme.tk/wp-parsing.php

http://thegamegolfmagazine.com/wp-parsing.php

http://truvaluconsulting.com/wp-parsing.php

https://blog2.textbookrush.com/wp-parsing.php

https://curiosidadez.com.br/wp-parsing.php

https://nonchothetohear.cf/wp-parsing.php

https://sicupira8.com.br/wp-parsing.php

https://titaniumgamers.com/wp-parsing.php

Attributes

build_id
109

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 4192 created 1092 4192 regsvr32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
suricata

description	pid	process	target process
PID 4192 created 1092	4192	regsvr32.exe	Explorer.EXE

Blocklisted process makes network request 13 IoCs

Processes:

msiexec.exe

flow	pid	process
32	2368	msiexec.exe
33	2368	msiexec.exe
34	2368	msiexec.exe
35	2368	msiexec.exe
36	2368	msiexec.exe
37	2368	msiexec.exe
39	2368	msiexec.exe
41	2368	msiexec.exe
42	2368	msiexec.exe
43	2368	msiexec.exe
44	2368	msiexec.exe
45	2368	msiexec.exe
46	2368	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 4192 set thread context of 2368 4192 regsvr32.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4192 regsvr32.exe
4192 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

regsvr32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 4192 regsvr32.exe
Token: SeSecurityPrivilege 2368 msiexec.exe
Token: SeSecurityPrivilege 2368 msiexec.exe

description	pid	process	target process
PID 4192 set thread context of 2368	4192	regsvr32.exe	msiexec.exe

pid	process
4192	regsvr32.exe
4192	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	4192	regsvr32.exe
Token: SeSecurityPrivilege	2368	msiexec.exe
Token: SeSecurityPrivilege	2368	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 880 wrote to memory of 4192	880	regsvr32.exe	regsvr32.exe
PID 880 wrote to memory of 4192	880	regsvr32.exe	regsvr32.exe
PID 880 wrote to memory of 4192	880	regsvr32.exe	regsvr32.exe
PID 4192 wrote to memory of 2368	4192	regsvr32.exe	msiexec.exe
PID 4192 wrote to memory of 2368	4192	regsvr32.exe	msiexec.exe
PID 4192 wrote to memory of 2368	4192	regsvr32.exe	msiexec.exe
PID 4192 wrote to memory of 2368	4192	regsvr32.exe	msiexec.exe
PID 4192 wrote to memory of 2368	4192	regsvr32.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1092
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4192
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2368-131-0x0000000000000000-mapping.dmp

Download
memory/2368-132-0x0000000001020000-0x000000000104C000-memory.dmp

Filesize
176KB

Download
memory/2368-133-0x0000000001020000-0x000000000104C000-memory.dmp

Filesize
176KB

Download
memory/4192-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing