zloader | 830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46

Resubmissions

26-12-2022 13:27

221226-qp417sda45 10

30-11-2022 14:19

221130-rm688abe4x 10

Analysis

max time kernel
153s
max time network
174s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll
Size

493KB
MD5

efddc2807ecbdffd694cd97936404053
SHA1

c68b7b94e591fbc4cda9bdb8c2caaa33880464c7
SHA256

830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46
SHA512

e6b0fd0f52c5b7e82bb66d08c4a3f8a4bddf1ce75c140e73afb4c1f57131df81e5d39f7833de15b40e980f0605bfd1840f81b610134634db000f6e18388bf09a
SSDEEP

12288:WsCr6MfAEtHaqxnXmtkl0CMh+1wY7JuegO4I9y:Wsi6MBtHBzlRMg1wY34I9y

Score

10^/10

zloader nut 18/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

18/02

https://ramkanshop.ir/post.php

https://lph786.com/post.php

https://efaschoolfarooka.com/post.php

https://forexstick.com/post.php

https://firteccom.com/post.php

https://www.psychologynewmind.com/post.php

https://dirashightapbide.tk/post.php

Attributes

build_id
358

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2036	2040	rundll32.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2036	msiexec.exe
Token: SeSecurityPrivilege	2036	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2040	2032	rundll32.exe	28
PID 2032 wrote to memory of 2040	2032	rundll32.exe	28
PID 2032 wrote to memory of 2040	2032	rundll32.exe	28
PID 2032 wrote to memory of 2040	2032	rundll32.exe	28
PID 2032 wrote to memory of 2040	2032	rundll32.exe	28
PID 2032 wrote to memory of 2040	2032	rundll32.exe	28
PID 2032 wrote to memory of 2040	2032	rundll32.exe	28
PID 2040 wrote to memory of 2036	2040	rundll32.exe	29
PID 2040 wrote to memory of 2036	2040	rundll32.exe	29
PID 2040 wrote to memory of 2036	2040	rundll32.exe	29
PID 2040 wrote to memory of 2036	2040	rundll32.exe	29
PID 2040 wrote to memory of 2036	2040	rundll32.exe	29
PID 2040 wrote to memory of 2036	2040	rundll32.exe	29
PID 2040 wrote to memory of 2036	2040	rundll32.exe	29
PID 2040 wrote to memory of 2036	2040	rundll32.exe	29
PID 2040 wrote to memory of 2036	2040	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-59-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2036-61-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2036-65-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2036-66-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2040-55-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download
memory/2040-57-0x0000000074600000-0x00000000746DD000-memory.dmp

Filesize
884KB

Download
memory/2040-56-0x0000000074600000-0x0000000074629000-memory.dmp

Filesize
164KB

Download
memory/2040-58-0x0000000074600000-0x00000000746DD000-memory.dmp

Filesize
884KB

Download
memory/2040-63-0x0000000074600000-0x00000000746DD000-memory.dmp

Filesize
884KB

Download