zloader | 889722c569e213d506fd37d940b1056cac7b1baf981276313178d5cc429e13e8

General

Target

889722c569e213d506fd37d940b1056cac7b1baf981276313178d5cc429e13e8.dll
Size

334KB
MD5

68614fa2335fb83b70f21e9a52d21564
SHA1

108dbe69275819d24db77fc168acf55eedf12889
SHA256

889722c569e213d506fd37d940b1056cac7b1baf981276313178d5cc429e13e8
SHA512

6a1ead3489c7bc789b4e4e4eed665e4d1036e14191449e2604bb6ef72e6cf6345f89e494c5beeac80f15d60b9d2d08bb93298b9bd0dcdd1a9511df5a0ed9475f

Score

10^/10

zloader 27/02 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

27/02

C2

https://soficatan.site/milagrecf.php

https://barbeyo.xyz/milagrecf.php

Attributes

build_id
70

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ciadu = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Hebiug\\hocou.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 652 set thread context of 836	652	rundll32.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	836	msiexec.exe
Token: SeSecurityPrivilege	836	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 652	2024	rundll32.exe	28
PID 2024 wrote to memory of 652	2024	rundll32.exe	28
PID 2024 wrote to memory of 652	2024	rundll32.exe	28
PID 2024 wrote to memory of 652	2024	rundll32.exe	28
PID 2024 wrote to memory of 652	2024	rundll32.exe	28
PID 2024 wrote to memory of 652	2024	rundll32.exe	28
PID 2024 wrote to memory of 652	2024	rundll32.exe	28
PID 652 wrote to memory of 836	652	rundll32.exe	29
PID 652 wrote to memory of 836	652	rundll32.exe	29
PID 652 wrote to memory of 836	652	rundll32.exe	29
PID 652 wrote to memory of 836	652	rundll32.exe	29
PID 652 wrote to memory of 836	652	rundll32.exe	29
PID 652 wrote to memory of 836	652	rundll32.exe	29
PID 652 wrote to memory of 836	652	rundll32.exe	29
PID 652 wrote to memory of 836	652	rundll32.exe	29
PID 652 wrote to memory of 836	652	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\889722c569e213d506fd37d940b1056cac7b1baf981276313178d5cc429e13e8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\889722c569e213d506fd37d940b1056cac7b1baf981276313178d5cc429e13e8.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-55-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/652-57-0x0000000075200000-0x0000000075356000-memory.dmp

Filesize
1.3MB

Download
memory/652-56-0x0000000075200000-0x0000000075225000-memory.dmp

Filesize
148KB

Download
memory/652-58-0x0000000075200000-0x0000000075356000-memory.dmp

Filesize
1.3MB

Download
memory/652-63-0x0000000075200000-0x0000000075356000-memory.dmp

Filesize
1.3MB

Download
memory/836-59-0x00000000000D0000-0x00000000000F5000-memory.dmp

Filesize
148KB

Download
memory/836-61-0x00000000000D0000-0x00000000000F5000-memory.dmp

Filesize
148KB

Download
memory/836-65-0x00000000000D0000-0x00000000000F5000-memory.dmp

Filesize
148KB

Download
memory/836-66-0x00000000000D0000-0x00000000000F5000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing