zloader | e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6.dll
Size

364KB
MD5

d00f0818093c5960cb3ea0de3b93f341
SHA1

a7bdf8da3a30ac98a0df9fd0bd50f61a330056f1
SHA256

e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6
SHA512

681fe9460252b315e6bc976793b0a594cfc501ad574b03525597aa0d5342201672811cf6bd86b5412d9a43df5500e43f28bdab1e5ca361e431532ecce5e5ca05

Score

10^/10

zloader apr09 canada botnet suricata trojan

Malware Config

Extracted

Family

zloader

Botnet

apr09

Campaign

Canada

http://march262020.best/post.php

http://march262020.club/post.php

http://march262020.com/post.php

http://march262020.live/post.php

http://march262020.network/post.php

http://march262020.online/post.php

http://march262020.site/post.php

http://march262020.store/post.php

http://march262020.tech/post.php

Attributes

build_id
94

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
suricata

Blocklisted process makes network request 8 IoCs

flow	pid	Process
35	4076	msiexec.exe
37	4076	msiexec.exe
39	4076	msiexec.exe
41	4076	msiexec.exe
46	4076	msiexec.exe
48	4076	msiexec.exe
50	4076	msiexec.exe
52	4076	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4352 set thread context of 4076	4352	rundll32.exe	88

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4076	msiexec.exe
Token: SeSecurityPrivilege	4076	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4352	2184	rundll32.exe	80
PID 2184 wrote to memory of 4352	2184	rundll32.exe	80
PID 2184 wrote to memory of 4352	2184	rundll32.exe	80
PID 4352 wrote to memory of 4076	4352	rundll32.exe	88
PID 4352 wrote to memory of 4076	4352	rundll32.exe	88
PID 4352 wrote to memory of 4076	4352	rundll32.exe	88
PID 4352 wrote to memory of 4076	4352	rundll32.exe	88
PID 4352 wrote to memory of 4076	4352	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:4076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4076-135-0x0000000000A80000-0x0000000000AB4000-memory.dmp

Filesize
208KB

Download
memory/4076-137-0x0000000000A80000-0x0000000000AB4000-memory.dmp

Filesize
208KB

Download
memory/4076-138-0x0000000000A80000-0x0000000000AB4000-memory.dmp

Filesize
208KB

Download
memory/4352-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4352-133-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4352-136-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download