zloader | HEURBackdoor[.]Win32[.]Dridex[.]vhobecacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962

Sharing

Copy URL

Twitter E-mail

General

Target

HEURBackdoor.Win32.Dridex.vhobecacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962
Size

146KB
MD5

d93ca01a4515732a6a54df0a391c93e3
SHA1

ba31585616c3640a434c4c29193f0f89e8306485
SHA256

becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962
SHA512

3e9c52c04cf37250e8d4e0e3a17cc27e17a1ff19c4935a788b77dafea28bd6ec0a514bdbe4073845c31559652c039f88f811b24020044c0b0e0c47f1cb9ac2e0
SSDEEP

3072:BHIbLRDJ1YGzRXczG9Nw5pwfhcMVd8v86jdbG42UO5LXrMUJKKMEj2Yi:BHcLRDz/czG9Mp2hcGd8vvjFG42PhMal

Score

10^/10

-pit14 web7-pit14 zloader

Malware Config

Extracted

Family

zloader

Botnet

-pit14

Campaign

web7-pit14

https://45.72.3.132/web7643/gate.php

Attributes

build_id
929195383

rc4.plain

Signatures

Zloader family
zloader

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
HEURBackdoor.Win32.Dridex.vhobecacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962

Files

HEURBackdoor.Win32.Dridex.vhobecacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962
.exe windows x86

8dba73fc79b40529ce9d0afaecd2a713

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
CompareFileTime
CreateEventW
EnterCriticalSection
ExpandEnvironmentStringsW
FileTimeToSystemTime
FlushFileBuffers
GetCPInfo
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetFileType
GetLastError
GetLocalTime
GetModuleFileNameA
GetProcAddress
GetStdHandle
GetStringTypeW
GetSystemTime
GetTempPathA
GetTimeFormatW
GetVersion
GlobalAlloc
HeapAlloc
HeapReAlloc
IsValidLocale
SetEndOfFile
SetEvent
SetHandleCount
SystemTimeToFileTime
VirtualFree
WaitForSingleObject
WideCharToMultiByte
lstrcmpW

advapi32

GetTokenInformation

shlwapi

PathAddBackslashW

shell32

CommandLineToArgvW
ShellAboutW

user32

CallWindowProcW
CharNextA
CheckMenuItem
CheckMenuRadioItem
CheckRadioButton
ClientToScreen
CreateDialogParamW
DefWindowProcW
DrawIconEx
DrawTextW
EnableMenuItem
EqualRect
FillRect
GetClassNameW
GetClientRect
GetDC
GetMenuState
GetNextDlgTabItem
GetParent
GetProcessDefaultLayout
GetSysColorBrush
GetWindowLongW
GetWindowRect
InflateRect
InsertMenuItemW
IsDialogMessageW
IsIconic
KillTimer
LoadAcceleratorsW
LoadCursorW
LoadIconA
LoadImageW
MapWindowPoints
MoveWindow
OffsetRect
RegisterClassA
ReleaseCapture
ReleaseDC
SetDlgItemTextW
SetMenuItemInfoW
SetPropW
SetWindowPos
SetWindowTextW
ShowWindow
UnregisterClassW

gdi32

CreateCompatibleBitmap
CreateDIBSection
CreateRectRgn
DeleteObject
EndDoc
EndPage
EqualRgn
ExtCreatePen
GetObjectA
GetObjectW
GetRgnBox
GetTextExtentPointW
MoveToEx
SelectObject
SetMapMode
StartDocA

Sections

.text
Size: 129KB - Virtual size: 129KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

8dba73fc79b40529ce9d0afaecd2a713

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

shlwapi

shell32

user32

gdi32

Sections

.text Size: 129KB - Virtual size: 129KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1KB - Virtual size: 11KB

.reloc Size: 9KB - Virtual size: 9KB

.text
Size: 129KB - Virtual size: 129KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1KB - Virtual size: 11KB

.reloc
Size: 9KB - Virtual size: 9KB