zloader | 9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d

Analysis

max time kernel
413s
max time network
452s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d.dll
Size

165KB
MD5

11346a6580159a53b49afde7b06409d3
SHA1

52352bc254b2c5a9c9343b42ecff2333696b2462
SHA256

9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d
SHA512

826094d548dd38d6c24332bd9e5103a862e59003e1ce319ab2165282e80f45745044ecc7df69e0d311b04114f17d6bc3b289723904f67e9078e645c6d0f52f3d
SSDEEP

3072:D35JbHcU122oCZaBrEvqxHFIPwS0CZFQYAqcisjkvTbV0jECnjol:D/bHtboiwEcGPwS02FBA3Z2bmjrnjol

Score

10^/10

zloader dllobnova 2020 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

2020

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

https://dsdjfhdsufudhjas.info/gate.php

https://fdsjfjdsfjdsdsjajjs.info/gate.php

https://idisaudhasdhasdj.info/gate.php

Attributes

build_id
68

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

flow	pid	Process
5	988	msiexec.exe
7	988	msiexec.exe
9	988	msiexec.exe
11	988	msiexec.exe
13	988	msiexec.exe
15	988	msiexec.exe
17	988	msiexec.exe
18	988	msiexec.exe
19	988	msiexec.exe
20	988	msiexec.exe
21	988	msiexec.exe
22	988	msiexec.exe
23	988	msiexec.exe
24	988	msiexec.exe
25	988	msiexec.exe
26	988	msiexec.exe
27	988	msiexec.exe
28	988	msiexec.exe
29	988	msiexec.exe
30	988	msiexec.exe
31	988	msiexec.exe
32	988	msiexec.exe
33	988	msiexec.exe
34	988	msiexec.exe
35	988	msiexec.exe
36	988	msiexec.exe
38	988	msiexec.exe
40	988	msiexec.exe
41	988	msiexec.exe
42	988	msiexec.exe
43	988	msiexec.exe
44	988	msiexec.exe
45	988	msiexec.exe
46	988	msiexec.exe
47	988	msiexec.exe
48	988	msiexec.exe
49	988	msiexec.exe
50	988	msiexec.exe
51	988	msiexec.exe
52	988	msiexec.exe
53	988	msiexec.exe
54	988	msiexec.exe
55	988	msiexec.exe
56	988	msiexec.exe
57	988	msiexec.exe
58	988	msiexec.exe
59	988	msiexec.exe
60	988	msiexec.exe
62	988	msiexec.exe
63	988	msiexec.exe
64	988	msiexec.exe
65	988	msiexec.exe
66	988	msiexec.exe
67	988	msiexec.exe
68	988	msiexec.exe
69	988	msiexec.exe
70	988	msiexec.exe
71	988	msiexec.exe
72	988	msiexec.exe
73	988	msiexec.exe
74	988	msiexec.exe
75	988	msiexec.exe
76	988	msiexec.exe
77	988	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adneom = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Hoivn\\quit.dll,DllRegisterServer"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 988	1952	regsvr32.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	988	msiexec.exe
Token: SeSecurityPrivilege	988	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1952	1676	regsvr32.exe	28
PID 1676 wrote to memory of 1952	1676	regsvr32.exe	28
PID 1676 wrote to memory of 1952	1676	regsvr32.exe	28
PID 1676 wrote to memory of 1952	1676	regsvr32.exe	28
PID 1676 wrote to memory of 1952	1676	regsvr32.exe	28
PID 1676 wrote to memory of 1952	1676	regsvr32.exe	28
PID 1676 wrote to memory of 1952	1676	regsvr32.exe	28
PID 1952 wrote to memory of 988	1952	regsvr32.exe	29
PID 1952 wrote to memory of 988	1952	regsvr32.exe	29
PID 1952 wrote to memory of 988	1952	regsvr32.exe	29
PID 1952 wrote to memory of 988	1952	regsvr32.exe	29
PID 1952 wrote to memory of 988	1952	regsvr32.exe	29
PID 1952 wrote to memory of 988	1952	regsvr32.exe	29
PID 1952 wrote to memory of 988	1952	regsvr32.exe	29
PID 1952 wrote to memory of 988	1952	regsvr32.exe	29
PID 1952 wrote to memory of 988	1952	regsvr32.exe	29

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\9907da0d3f0e6f9a460feef4d17ce8c241a415f10db005bb6339914a88838b5d.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-57-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/988-59-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/988-62-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/988-63-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/1676-54-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

Filesize
8KB

Download
memory/1952-56-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download