zloader | e3fba6f1efac5f32c35baf0337c0b951bae84fd5e8e71708405d59610b5de19e

Resubmissions

09-02-2023 02:28

230209-cyewsaga48 10

09-02-2023 02:18

230209-crm9ksff67 10

Analysis

max time kernel
74s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2023 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c75f4e1fd464e21826c37e5abf7fed93b48c721625f700f49aa71cbce377ee8a-1.dll
Size

409KB
MD5

56079ea11cb3fce2a34fdf0a81deecc5
SHA1

38475dc6871d88b3c9070f4e55f8c44a07b7dca3
SHA256

c75f4e1fd464e21826c37e5abf7fed93b48c721625f700f49aa71cbce377ee8a
SHA512

62881541d2f549475cb3a2026c1f53b2704834a5b5b2af154135b328347de690a4e4b23f047db85745a4b106b7ba541a854f91e0a8ff21255cb5df47aeda4e50
SSDEEP

12288:jS5WNqciJOAzgUOksgh/Zuss/p5V0noFJwhNUy:jS5WNqM1UOqFZusIpYe

Score

10^/10

zloader hvnc hvnc botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

hvnc

Campaign

hvnc

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

Attributes

build_id
157

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 4720	516	regsvr32.exe	80
PID 516 wrote to memory of 4720	516	regsvr32.exe	80
PID 516 wrote to memory of 4720	516	regsvr32.exe	80

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c75f4e1fd464e21826c37e5abf7fed93b48c721625f700f49aa71cbce377ee8a-1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\c75f4e1fd464e21826c37e5abf7fed93b48c721625f700f49aa71cbce377ee8a-1.dll
  2⤵
  PID:4720
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    PID:4020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4020-137-0x00000000001D0000-0x00000000001F6000-memory.dmp

Filesize
152KB

Download
memory/4020-139-0x00000000001D0000-0x00000000001F6000-memory.dmp

Filesize
152KB

Download
memory/4020-140-0x00000000001D0000-0x00000000001F6000-memory.dmp

Filesize
152KB

Download
memory/4720-133-0x0000000010000000-0x00000000100DB000-memory.dmp

Filesize
876KB

Download
memory/4720-134-0x0000000010000000-0x00000000100DB000-memory.dmp

Filesize
876KB

Download
memory/4720-135-0x0000000010000000-0x00000000100DB000-memory.dmp

Filesize
876KB

Download
memory/4720-138-0x0000000010000000-0x00000000100DB000-memory.dmp

Filesize
876KB

Download