Overview

overview

10

Static

static

568b1d18c3...9d.exe

windows7_x64

10

568b1d18c3...9d.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    68s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d.exe

  • Size

    525KB

  • MD5

    0c4e34983b797d71c1398962286a62d0

  • SHA1

    9314f44fc32b0afb38c466781727c8fca2b2f0a9

  • SHA256

    568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d

  • SHA512

    03144ce6410b416f961c7f6e5c9fa4112be54acfcd2ed554837c55aaa07227b09e88bcc09fce44a81f0f85cda06c8a0474ecfd08164c818e189aeb883a277d72

Score
10/10
zloadergoldhub27_mariobotnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

goldhub

Campaign

27_mario

C2

https://209711.com/process.php

https://106311.com/out.php

https://124331.com/success.php

https://1646zz.com/api.php
Attributes
  • build_id

    75

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d.exe
    "C:\Users\Admin\AppData\Local\Temp\568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d.exe
      "C:\Users\Admin\AppData\Local\Temp\568b1d18c325b2be411b21a34c0b5a12bfa93201694ca0a2109876007078b99d.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:1860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1324-54-0x0000000076011000-0x0000000076013000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1324-61-0x0000000000250000-0x0000000000280000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1324-55-0x0000000000310000-0x0000000000342000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1860-64-0x0000000000090000-0x00000000000C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1860-62-0x0000000000090000-0x00000000000C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1860-67-0x0000000000090000-0x00000000000C2000-memory.dmp

    Filesize

    200KB

    Download