Overview

overview

10

Static

static

3

HEUR-Backd...ex.exe

windows7-x64

10

HEUR-Backd...ex.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2023 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Backdoor.Win32.Dridex.exe

  • Size

    146KB

  • MD5

    d93ca01a4515732a6a54df0a391c93e3

  • SHA1

    ba31585616c3640a434c4c29193f0f89e8306485

  • SHA256

    becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962

  • SHA512

    3e9c52c04cf37250e8d4e0e3a17cc27e17a1ff19c4935a788b77dafea28bd6ec0a514bdbe4073845c31559652c039f88f811b24020044c0b0e0c47f1cb9ac2e0

  • SSDEEP

    3072:BHIbLRDJ1YGzRXczG9Nw5pwfhcMVd8v86jdbG42UO5LXrMUJKKMEj2Yi:BHcLRDz/czG9Mp2hcGd8vvjFG42PhMal

Score
10/10
zloader-pit14web7-pit14botnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

-pit14

Campaign

web7-pit14

C2

https://45.72.3.132/web7643/gate.php

Attributes
  • build_id

    929195383

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Dridex.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.Dridex.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2360

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2360-133-0x0000000000FC0000-0x0000000000FEA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2360-135-0x0000000000FC0000-0x0000000000FEA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2360-136-0x0000000000FC0000-0x0000000000FEA000-memory.dmp

    Filesize

    168KB

    Download