zloader | 58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222

Analysis

max time kernel
585s
max time network
587s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe
Size

141KB
MD5

a74a0a84a2ed0674e540ac9aa4405638
SHA1

6ea4c0b33b660908b6032252c345c1936364390e
SHA256

58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222
SHA512

a7dc0515208a02ebaec31b39c74bcf366ea2deaac7f7bbbe2b748273c53868144dec8e129f909a8b5d46c0598db384581977f51a42b2b19fb1da15d62699262c
SSDEEP

3072:Ze6xD8emYCB6K8WfJnIFwWmVteLz+isF:ZeqfmXFXW8wzc

Score

10^/10

zloader -test2 web7-test2 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

-test2

Campaign

web7-test2

https://45.72.3.132/web7643/gate.php

Attributes

build_id
929195383

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 30 IoCs

flow	pid	Process
4	1684	msiexec.exe
5	1684	msiexec.exe
6	1684	msiexec.exe
7	1684	msiexec.exe
8	1684	msiexec.exe
9	1684	msiexec.exe
10	1684	msiexec.exe
11	1684	msiexec.exe
12	1684	msiexec.exe
13	1684	msiexec.exe
15	1684	msiexec.exe
16	1684	msiexec.exe
17	1684	msiexec.exe
18	1684	msiexec.exe
19	1684	msiexec.exe
20	1684	msiexec.exe
21	1684	msiexec.exe
22	1684	msiexec.exe
23	1684	msiexec.exe
24	1684	msiexec.exe
26	1684	msiexec.exe
27	1684	msiexec.exe
28	1684	msiexec.exe
29	1684	msiexec.exe
30	1684	msiexec.exe
31	1684	msiexec.exe
32	1684	msiexec.exe
33	1684	msiexec.exe
34	1684	msiexec.exe
35	1684	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ufah = "C:\\Users\\Admin\\AppData\\Roaming\\Ihfab\\fufeof.exe"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1684	msiexec.exe
Token: SeSecurityPrivilege	1684	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27
PID 1132 wrote to memory of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27
PID 1132 wrote to memory of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27
PID 1132 wrote to memory of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27
PID 1132 wrote to memory of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27
PID 1132 wrote to memory of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27
PID 1132 wrote to memory of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27
PID 1132 wrote to memory of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27
PID 1132 wrote to memory of 1684	1132	58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe	27

C:\Users\Admin\AppData\Local\Temp\58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\58afcdc59220bd54561c650d1c9f1ebed87e517dc747dfc7d243bd19708b7222_unpacked.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1684-55-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1684-57-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1684-60-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1684-61-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download