zloader | e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8

Resubmissions

05-11-2022 23:29

221105-3gsdnaabh2 10

05-11-2022 15:13

221105-sl48xagdd3 10

27-10-2022 06:35

221027-hcm8xsbce5 10

Analysis

max time kernel
581s
max time network
584s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
Size

111KB
MD5

e3564138588cba04c873bd054458f8b9
SHA1

157ec7421e1333b714d01a750b6d5d6517a92c45
SHA256

e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8
SHA512

2a2e8ce45a928bcffdb40ebf6559c1f071bb3feccfd9cfe355e593acb559ecf84858cf4474708d311317ab08b3f981eba7c8b80dceae973839a0eec9049665c8
SSDEEP

1536:3ui/9Xb791Wff4K84oeRnobxxm2ShclQaLMin8F5vAC+WEQbAmTjTpeyv0+gPzff:H/J7jWHT/oegcaQF5XEgHbpeyvfgT

Score

10^/10

zloader dllobnova 1017 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

1017

https://fdsjfjdsfjdsjfdjsfh.com/gate.php

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

https://dsdjfhdsufudhjas.info/gate.php

https://fdsjfjdsfjdsdsjajjs.info/gate.php

https://idisaudhasdhasdj.info/gate.php

Attributes

build_id
28

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

Processes:

msiexec.exe

flow	pid	process
5	1696	msiexec.exe
7	1696	msiexec.exe
9	1696	msiexec.exe
11	1696	msiexec.exe
13	1696	msiexec.exe
15	1696	msiexec.exe
17	1696	msiexec.exe
19	1696	msiexec.exe
20	1696	msiexec.exe
21	1696	msiexec.exe
22	1696	msiexec.exe
23	1696	msiexec.exe
24	1696	msiexec.exe
25	1696	msiexec.exe
26	1696	msiexec.exe
27	1696	msiexec.exe
28	1696	msiexec.exe
29	1696	msiexec.exe
30	1696	msiexec.exe
31	1696	msiexec.exe
32	1696	msiexec.exe
33	1696	msiexec.exe
34	1696	msiexec.exe
35	1696	msiexec.exe
36	1696	msiexec.exe
37	1696	msiexec.exe
38	1696	msiexec.exe
40	1696	msiexec.exe
42	1696	msiexec.exe
43	1696	msiexec.exe
44	1696	msiexec.exe
45	1696	msiexec.exe
46	1696	msiexec.exe
47	1696	msiexec.exe
48	1696	msiexec.exe
49	1696	msiexec.exe
50	1696	msiexec.exe
51	1696	msiexec.exe
52	1696	msiexec.exe
53	1696	msiexec.exe
54	1696	msiexec.exe
55	1696	msiexec.exe
56	1696	msiexec.exe
57	1696	msiexec.exe
58	1696	msiexec.exe
59	1696	msiexec.exe
60	1696	msiexec.exe
61	1696	msiexec.exe
62	1696	msiexec.exe
64	1696	msiexec.exe
65	1696	msiexec.exe
66	1696	msiexec.exe
67	1696	msiexec.exe
68	1696	msiexec.exe
69	1696	msiexec.exe
70	1696	msiexec.exe
71	1696	msiexec.exe
72	1696	msiexec.exe
73	1696	msiexec.exe
74	1696	msiexec.exe
75	1696	msiexec.exe
76	1696	msiexec.exe
77	1696	msiexec.exe
78	1696	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cegu = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Didi\\edfoacyb.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1988 set thread context of 1696 1988 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1696 msiexec.exe
Token: SeSecurityPrivilege 1696 msiexec.exe

description	pid	process	target process
PID 1988 set thread context of 1696	1988	regsvr32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1048 wrote to memory of 1988	1048	regsvr32.exe	regsvr32.exe
PID 1048 wrote to memory of 1988	1048	regsvr32.exe	regsvr32.exe
PID 1048 wrote to memory of 1988	1048	regsvr32.exe	regsvr32.exe
PID 1048 wrote to memory of 1988	1048	regsvr32.exe	regsvr32.exe
PID 1048 wrote to memory of 1988	1048	regsvr32.exe	regsvr32.exe
PID 1048 wrote to memory of 1988	1048	regsvr32.exe	regsvr32.exe
PID 1048 wrote to memory of 1988	1048	regsvr32.exe	regsvr32.exe
PID 1988 wrote to memory of 1696	1988	regsvr32.exe	msiexec.exe
PID 1988 wrote to memory of 1696	1988	regsvr32.exe	msiexec.exe
PID 1988 wrote to memory of 1696	1988	regsvr32.exe	msiexec.exe
PID 1988 wrote to memory of 1696	1988	regsvr32.exe	msiexec.exe
PID 1988 wrote to memory of 1696	1988	regsvr32.exe	msiexec.exe
PID 1988 wrote to memory of 1696	1988	regsvr32.exe	msiexec.exe
PID 1988 wrote to memory of 1696	1988	regsvr32.exe	msiexec.exe
PID 1988 wrote to memory of 1696	1988	regsvr32.exe	msiexec.exe
PID 1988 wrote to memory of 1696	1988	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1696-57-0x0000000000090000-0x00000000000B1000-memory.dmp

Filesize
132KB

Download
memory/1696-59-0x0000000000090000-0x00000000000B1000-memory.dmp

Filesize
132KB

Download
memory/1696-60-0x0000000000000000-mapping.dmp

Download
memory/1696-62-0x0000000000090000-0x00000000000B1000-memory.dmp

Filesize
132KB

Download
memory/1696-63-0x0000000000090000-0x00000000000B1000-memory.dmp

Filesize
132KB

Download
memory/1988-55-0x0000000000000000-mapping.dmp

Download
memory/1988-56-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download