zloader | 3e2354b37dcfbcc1b0059cd1dfa87bc2fc3ad4d183a0dbc64768d1a11ee04bdd

Analysis

max time kernel
91s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e2354b37dcfbcc1b0059cd1dfa87bc2fc3ad4d183a0dbc64768d1a11ee04bdd.dll
Size

364KB
MD5

c8492a0451b8379fcf2d0134a787b79a
SHA1

5ee7bc744232d53edd327fdbd8a7a77561857738
SHA256

3e2354b37dcfbcc1b0059cd1dfa87bc2fc3ad4d183a0dbc64768d1a11ee04bdd
SHA512

3e97bcf4223d3f0b3743069154a072778ce0a41af8a93ac2c4d8fe44cbce9ea9224f1d3d8886c64cb95d42a289cc3ac0ca788ad2e4316f22a55298d92498b4b5

Score

10^/10

zloader bot5 bot5 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

bot5

Campaign

bot5

https://militanttra.at/owg.php

Attributes

build_id
15

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3284 set thread context of 4780	3284	regsvr32.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3840	4780	WerFault.exe	88

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 3284	4964	regsvr32.exe	80
PID 4964 wrote to memory of 3284	4964	regsvr32.exe	80
PID 4964 wrote to memory of 3284	4964	regsvr32.exe	80
PID 3284 wrote to memory of 4780	3284	regsvr32.exe	88
PID 3284 wrote to memory of 4780	3284	regsvr32.exe	88
PID 3284 wrote to memory of 4780	3284	regsvr32.exe	88
PID 3284 wrote to memory of 4780	3284	regsvr32.exe	88
PID 3284 wrote to memory of 4780	3284	regsvr32.exe	88

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3e2354b37dcfbcc1b0059cd1dfa87bc2fc3ad4d183a0dbc64768d1a11ee04bdd.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\3e2354b37dcfbcc1b0059cd1dfa87bc2fc3ad4d183a0dbc64768d1a11ee04bdd.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    PID:4780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 576
      4⤵
      Program crash
      PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4780 -ip 4780
1⤵
PID:4940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4780-132-0x0000000000D30000-0x0000000000D5B000-memory.dmp

Filesize
172KB

Download
memory/4780-133-0x0000000000D30000-0x0000000000D5B000-memory.dmp

Filesize
172KB

Download