zloader | e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580

Resubmissions

26-12-2022 13:28

221226-qqwq8ada46 10

25-11-2022 10:07

221125-l5na6sdb4t 10

Analysis

max time kernel
63s
max time network
65s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-12-2022 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580.dll
Size

274KB
MD5

d046de3d748585f4740f11f44c5e7c31
SHA1

2b04641bd67e7d4bc6170bbd05b33a33dea521da
SHA256

e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580
SHA512

8f5bbdd39a6932b7b30be8736e1d5f7df4d20b894a3396f18daa93b018f7fa0651d3d915d37a13f84359439e23060cd1f9ac12b7c5aeff8f2353b8e0422df6e1
SSDEEP

6144:sq0e5NP+8ZqKMLLnMxOl6sl4IgKW1rYxk4xJS4H1m3tz3qLWYemA:s2Cnj6sYS36aC

Score

10^/10

zloader kev 02/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

kev

Campaign

02/02

https://inservitudetothedivine.com/post.php

https://pebbleauto.com/post.php

https://ineenbeaudi.tk/post.php

Attributes

build_id
325

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1640 set thread context of 4832 1640 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 4832 msiexec.exe
Token: SeSecurityPrivilege 4832 msiexec.exe

description	pid	process	target process
PID 1640 set thread context of 4832	1640	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	4832	msiexec.exe
Token: SeSecurityPrivilege	4832	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2100 wrote to memory of 1640	2100	rundll32.exe	rundll32.exe
PID 2100 wrote to memory of 1640	2100	rundll32.exe	rundll32.exe
PID 2100 wrote to memory of 1640	2100	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 4832	1640	rundll32.exe	msiexec.exe
PID 1640 wrote to memory of 4832	1640	rundll32.exe	msiexec.exe
PID 1640 wrote to memory of 4832	1640	rundll32.exe	msiexec.exe
PID 1640 wrote to memory of 4832	1640	rundll32.exe	msiexec.exe
PID 1640 wrote to memory of 4832	1640	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6ff434fbb288fb16f228292d41ed7cad38d06eb091ef6b4ab5da61ac96de580.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-120-0x0000000000000000-mapping.dmp

Download
memory/1640-121-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-122-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-123-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-124-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-125-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-126-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-128-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-127-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-130-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-131-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-129-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-132-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-134-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-135-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-137-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-138-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-140-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-141-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-142-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-139-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-136-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-144-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-146-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-148-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-150-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-151-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-152-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-154-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-156-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-155-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-158-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-157-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-153-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-149-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-160-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-162-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-163-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-161-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-159-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-147-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-145-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-143-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-133-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1640-164-0x0000000010000000-0x0000000012541000-memory.dmp

Filesize
37.3MB

Download
memory/1640-165-0x0000000004CD0000-0x000000000720B000-memory.dmp

Filesize
37.2MB

Download
memory/1640-177-0x0000000010000000-0x0000000012541000-memory.dmp

Filesize
37.3MB

Download
memory/4832-166-0x0000000000700000-0x0000000000726000-memory.dmp

Filesize
152KB

Download
memory/4832-167-0x0000000000000000-mapping.dmp

Download
memory/4832-168-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-169-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-170-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-171-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-173-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-174-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-176-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-178-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-179-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-180-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-181-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-182-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-183-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-184-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-185-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-186-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-187-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-188-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-190-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-189-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4832-215-0x0000000000700000-0x0000000000726000-memory.dmp

Filesize
152KB

Download
memory/4832-233-0x0000000000700000-0x0000000000726000-memory.dmp

Filesize
152KB

Download