zloader | 76f4db4f373809a4dba455b3370a049295e711f635fa4c070790e1cb907e31a6

Resubmissions

03-08-2023 07:52

230803-jqkwdsca99 10

27-07-2023 11:24

26-12-2022 13:39

26-12-2022 13:39

26-12-2022 13:38

26-12-2022 13:38

Analysis

max time kernel
1710s
max time network
1771s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27-07-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll
Size

493KB
MD5

efddc2807ecbdffd694cd97936404053
SHA1

c68b7b94e591fbc4cda9bdb8c2caaa33880464c7
SHA256

830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46
SHA512

e6b0fd0f52c5b7e82bb66d08c4a3f8a4bddf1ce75c140e73afb4c1f57131df81e5d39f7833de15b40e980f0605bfd1840f81b610134634db000f6e18388bf09a
SSDEEP

12288:WsCr6MfAEtHaqxnXmtkl0CMh+1wY7JuegO4I9y:Wsi6MBtHBzlRMg1wY34I9y

Score

10^/10

zloader nut 18/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

18/02

https://ramkanshop.ir/post.php

https://lph786.com/post.php

https://efaschoolfarooka.com/post.php

https://forexstick.com/post.php

https://firteccom.com/post.php

https://www.psychologynewmind.com/post.php

https://dirashightapbide.tk/post.php

Attributes

build_id
358

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

flow	pid	Process
14	2952	msiexec.exe
15	2952	msiexec.exe
16	2952	msiexec.exe
17	2952	msiexec.exe
18	2952	msiexec.exe
19	2952	msiexec.exe
20	2952	msiexec.exe
21	2952	msiexec.exe
22	2952	msiexec.exe
23	2952	msiexec.exe
24	2952	msiexec.exe
25	2952	msiexec.exe
26	2952	msiexec.exe
27	2952	msiexec.exe
28	2952	msiexec.exe
29	2952	msiexec.exe
30	2952	msiexec.exe
31	2952	msiexec.exe
32	2952	msiexec.exe
33	2952	msiexec.exe
34	2952	msiexec.exe
36	2952	msiexec.exe
37	2952	msiexec.exe
38	2952	msiexec.exe
40	2952	msiexec.exe
42	2952	msiexec.exe
44	2952	msiexec.exe
50	2952	msiexec.exe
59	2952	msiexec.exe
60	2952	msiexec.exe
61	2952	msiexec.exe
62	2952	msiexec.exe
63	2952	msiexec.exe
64	2952	msiexec.exe
65	2952	msiexec.exe
66	2952	msiexec.exe
67	2952	msiexec.exe
68	2952	msiexec.exe
69	2952	msiexec.exe
70	2952	msiexec.exe
71	2952	msiexec.exe
72	2952	msiexec.exe
73	2952	msiexec.exe
74	2952	msiexec.exe
75	2952	msiexec.exe
76	2952	msiexec.exe
77	2952	msiexec.exe
78	2952	msiexec.exe
79	2952	msiexec.exe
81	2952	msiexec.exe
82	2952	msiexec.exe
83	2952	msiexec.exe
84	2952	msiexec.exe
86	2952	msiexec.exe
88	2952	msiexec.exe
98	2952	msiexec.exe
99	2952	msiexec.exe
100	2952	msiexec.exe
101	2952	msiexec.exe
102	2952	msiexec.exe
103	2952	msiexec.exe
104	2952	msiexec.exe
105	2952	msiexec.exe
106	2952	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2952	2072	rundll32.exe	31

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2952	msiexec.exe
Token: SeSecurityPrivilege	2952	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2072	1684	rundll32.exe	2
PID 1684 wrote to memory of 2072	1684	rundll32.exe	2
PID 1684 wrote to memory of 2072	1684	rundll32.exe	2
PID 1684 wrote to memory of 2072	1684	rundll32.exe	2
PID 1684 wrote to memory of 2072	1684	rundll32.exe	2
PID 1684 wrote to memory of 2072	1684	rundll32.exe	2
PID 1684 wrote to memory of 2072	1684	rundll32.exe	2
PID 2072 wrote to memory of 2952	2072	rundll32.exe	31
PID 2072 wrote to memory of 2952	2072	rundll32.exe	31
PID 2072 wrote to memory of 2952	2072	rundll32.exe	31
PID 2072 wrote to memory of 2952	2072	rundll32.exe	31
PID 2072 wrote to memory of 2952	2072	rundll32.exe	31
PID 2072 wrote to memory of 2952	2072	rundll32.exe	31
PID 2072 wrote to memory of 2952	2072	rundll32.exe	31
PID 2072 wrote to memory of 2952	2072	rundll32.exe	31
PID 2072 wrote to memory of 2952	2072	rundll32.exe	31

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2952

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
59ca28344b8f7f53754fe290f0aadc9e

SHA1
1849b6f789db2b0b3beaa7a4b64763d618f30069

SHA256
03c8bf5291ae5e2098ad21f768a5134a83f9ae88d97ba5260b3865d8c8cd82bd

SHA512
73654ea80d17eefd8d5b2ce95b7a9a8ece4656982a282f1208e3391c57eee3ad9c55ab89c2465a1c2ecf793525d5f277f4b5f9555e157b717771dfd7597aa1b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1f8246c7c83739132f7d412870436d47

SHA1
b5ddc01ad1fee671f87f26dea9649107cbc48a6b

SHA256
fbfd1920d2698341118c8abe19a4850e456f4b01c3fcef83e3103bc67cfb4512

SHA512
75c7f9ccaa26ec2d4252e72c8af2eb004b448320324f6c41785fc0451dcd08f7613796a7363ab0a2b9541a37cb2240d274f18f5f69cf586df9db6c770de065b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AJTUMOT\post[1].htm

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab800B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar805C.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2072-54-0x0000000074F60000-0x000000007503D000-memory.dmp

Filesize
884KB

Download
memory/2072-56-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2072-57-0x0000000074F60000-0x000000007503D000-memory.dmp

Filesize
884KB

Download
memory/2072-55-0x0000000074F60000-0x000000007503D000-memory.dmp

Filesize
884KB

Download
memory/2072-63-0x0000000074F60000-0x000000007503D000-memory.dmp

Filesize
884KB

Download
memory/2952-58-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2952-69-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2952-67-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2952-66-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2952-64-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2952-62-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2952-60-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download