zloader | e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580

Resubmissions

26-12-2022 13:28

221226-qqwq8ada46 10

25-11-2022 10:07

221125-l5na6sdb4t 10

Analysis

max time kernel
165s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580.dll
Size

274KB
MD5

d046de3d748585f4740f11f44c5e7c31
SHA1

2b04641bd67e7d4bc6170bbd05b33a33dea521da
SHA256

e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580
SHA512

8f5bbdd39a6932b7b30be8736e1d5f7df4d20b894a3396f18daa93b018f7fa0651d3d915d37a13f84359439e23060cd1f9ac12b7c5aeff8f2353b8e0422df6e1
SSDEEP

6144:sq0e5NP+8ZqKMLLnMxOl6sl4IgKW1rYxk4xJS4H1m3tz3qLWYemA:s2Cnj6sYS36aC

Score

10^/10

zloader kev 02/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

kev

Campaign

02/02

https://inservitudetothedivine.com/post.php

https://pebbleauto.com/post.php

https://ineenbeaudi.tk/post.php

Attributes

build_id
325

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 720 set thread context of 5088	720	rundll32.exe	82

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5088	msiexec.exe
Token: SeSecurityPrivilege	5088	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 720	5060	rundll32.exe	80
PID 5060 wrote to memory of 720	5060	rundll32.exe	80
PID 5060 wrote to memory of 720	5060	rundll32.exe	80
PID 720 wrote to memory of 5088	720	rundll32.exe	82
PID 720 wrote to memory of 5088	720	rundll32.exe	82
PID 720 wrote to memory of 5088	720	rundll32.exe	82
PID 720 wrote to memory of 5088	720	rundll32.exe	82
PID 720 wrote to memory of 5088	720	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/720-133-0x0000000010000000-0x0000000012541000-memory.dmp

Filesize
37.3MB

Download
memory/720-134-0x00000000020C0000-0x00000000045FB000-memory.dmp

Filesize
37.2MB

Download
memory/720-135-0x0000000010000000-0x0000000012541000-memory.dmp

Filesize
37.3MB

Download
memory/720-138-0x0000000010000000-0x0000000012541000-memory.dmp

Filesize
37.3MB

Download
memory/5088-137-0x0000000000D40000-0x0000000000D66000-memory.dmp

Filesize
152KB

Download
memory/5088-139-0x0000000000D40000-0x0000000000D66000-memory.dmp

Filesize
152KB

Download
memory/5088-140-0x0000000000D40000-0x0000000000D66000-memory.dmp

Filesize
152KB

Download