Malware Analysis Report

2024-10-18 22:55

Sample ID 220520-p9fcxafgar
Target 648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296
SHA256 648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296
Tags
nut 14/08 zloader botnet trojan suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296

Threat Level: Known bad

The file 648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296 was found to be: Known bad.

Malicious Activity Summary

nut 14/08 zloader botnet trojan suricata

suricata: ET MALWARE Zbot POST Request to C2

Zloader family

Suspicious use of NtCreateUserProcessOtherParentProcess

Zloader, Terdot, DELoader, ZeusSphinx

Blocklisted process makes network request

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-20 13:01

Signatures

Zloader family

zloader

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 13:01

Reported

2022-05-20 13:09

Platform

win7-20220414-en

Max time kernel

154s

Max time network

167s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1364 created 1312 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\Explorer.EXE

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1364 set thread context of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1256 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1256 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1256 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1256 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1256 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1256 wrote to memory of 1364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1364 wrote to memory of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1364 wrote to memory of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1364 wrote to memory of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1364 wrote to memory of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1364 wrote to memory of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1364 wrote to memory of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1364 wrote to memory of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1364 wrote to memory of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1364 wrote to memory of 1164 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 girldowcahohorme.tk udp
US 8.8.8.8:53 thegamegolfmagazine.com udp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
US 8.8.8.8:53 truvaluconsulting.com udp
US 66.96.162.139:80 truvaluconsulting.com tcp
US 8.8.8.8:53 blog2.textbookrush.com udp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 8.8.8.8:53 curiosidadez.com.br udp

Files

memory/1256-54-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

memory/1364-55-0x0000000000000000-mapping.dmp

memory/1364-56-0x0000000075951000-0x0000000075953000-memory.dmp

memory/1164-57-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1164-59-0x0000000000090000-0x00000000000BC000-memory.dmp

memory/1164-60-0x0000000000000000-mapping.dmp

memory/1164-62-0x0000000000090000-0x00000000000BC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 13:01

Reported

2022-05-20 13:07

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4192 created 1092 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\Explorer.EXE

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

suricata: ET MALWARE Zbot POST Request to C2

suricata

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4192 set thread context of 2368 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\648545a9d8d6a009c81d0fc072e430a91cd2d7cc63c771fb7a88e59de7af5296.dll

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 13.89.179.8:443 tcp
US 8.238.111.254:80 tcp
US 8.8.8.8:53 girldowcahohorme.tk udp
US 8.8.8.8:53 girldowcahohorme.tk udp
US 8.8.8.8:53 girldowcahohorme.tk udp
US 8.8.8.8:53 thegamegolfmagazine.com udp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
DE 81.169.145.88:80 thegamegolfmagazine.com tcp
US 8.8.8.8:53 truvaluconsulting.com udp
US 66.96.162.139:80 truvaluconsulting.com tcp
US 8.8.8.8:53 blog2.textbookrush.com udp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 199.188.170.206:443 blog2.textbookrush.com tcp
US 8.8.8.8:53 curiosidadez.com.br udp

Files

memory/4192-130-0x0000000000000000-mapping.dmp

memory/2368-131-0x0000000000000000-mapping.dmp

memory/2368-132-0x0000000001020000-0x000000000104C000-memory.dmp

memory/2368-133-0x0000000001020000-0x000000000104C000-memory.dmp