zloader | zloader[.]zip

Target

zloader.zip
Size

912KB
MD5

5b9c3ed3664f0df742d8755c961cd38b
SHA1

644f0c7f36a70d126751ac048e77b0b90abf5643
SHA256

76f4db4f373809a4dba455b3370a049295e711f635fa4c070790e1cb907e31a6
SHA512

624ae16980a93a2c53725b639205212314596e0198b9957627b0d5e1fbc9dd7807bd55802f4493597da346b9bd181688fd9cd1ad76a738e5657486c9347258c7
SSDEEP

24576:3S/33QEH0A1jWxdkNruOgo67hcQcron7Hbn3QPIo0EvwHM/Tih:kA9ejW9Og9VcO3cIov3Gh

Score

10^/10

dllobnova 1017 zloader

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

1017

https://fdsjfjdsfjdsjfdjsfh.com/gate.php

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

https://dsdjfhdsufudhjas.info/gate.php

https://fdsjfjdsfjdsdsjajjs.info/gate.php

https://idisaudhasdhasdj.info/gate.php

Attributes

build_id
28

rc4.plain

Signatures

Zloader family
zloader

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46
unpack001/b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279
unpack001/cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9
unpack001/e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8

Files

zloader.zip
.zip
44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b
.dll windows x86

9217a44a86a3f5ea87d2259a5905279d

Code Sign

5c:5e:30:13:88:9c:78:53:ba:55:7a:c9:0f:39:8e:84
Certificate

Issuer

CN=AHYKURGXLQFNQZUZJZ

Not Before

20-10-2020 03:54

Not After

31-12-2039 23:59

Subject

CN=AHYKURGXLQFNQZUZJZ

Extended Key Usages

ExtKeyUsageCodeSigning

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02-05-2019 00:00

Not After

18-01-2038 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3d:1a:35:72:30:15:82:63:30:d0:13:71:7e:82:41:08
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

02-05-2019 00:00

Not After

01-08-2030 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #1,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

ba:64:fd:71:8c:87:96:c2:f7:59:64:5e:52:0d:72:50:c3:01:1e:c4
Signer

Actual PE Digest

ba:64:fd:71:8c:87:96:c2:f7:59:64:5e:52:0d:72:50:c3:01:1e:c4

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetLastError
GetModuleHandleW
LoadLibraryA
GetProcAddress

user32

GetLastActivePopup
LoadIconA
CharUpperA
LoadIconW

gdi32

GetEnhMetaFileBits

advapi32

RegOpenKeyA

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata6
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata5
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata4
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata3
Size: 350KB - Virtual size: 350KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 764B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 189KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 368B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46
.dll windows x86

4cd5ad0d950a17d16594ac7f683f928a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

VirtualProtect
Sleep
GetStdHandle
OpenMutexA
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
RaiseException
RtlUnwind
GetCommandLineA
GetCurrentThreadId
GetModuleFileNameW
GetModuleHandleExW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
InitializeCriticalSectionAndSpinCount
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetModuleHandleW
GetProcAddress
WriteFile
IsProcessorFeaturePresent
GetLastError
HeapValidate
GetSystemInfo
ExitProcess
MultiByteToWideChar
WideCharToMultiByte
IsDebuggerPresent
GetACP
GetProcessHeap
GetFileType
GetModuleFileNameA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
OutputDebugStringW
WaitForSingleObjectEx
CreateThread
LoadLibraryExW
OutputDebugStringA
WriteConsoleW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetOEMCP
GetCPInfo
HeapFree
HeapReAlloc
HeapSize
HeapQueryInformation
HeapAlloc
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
CloseHandle
SetStdHandle
CreateFileW

Sections

.text
Size: 271KB - Virtual size: 270KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 146KB - Virtual size: 146KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 62KB - Virtual size: 441KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
__MACOSX/._44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b
__MACOSX/._830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46
__MACOSX/._b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279
__MACOSX/._cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9
__MACOSX/._e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279
.dll windows x86

3709c0427e1da1b41889cce9e54378a6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

VirtualProtect
GetVersion
GetTempPathA
FileTimeToSystemTime
CreateEventA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
EncodePointer
RaiseException
InterlockedFlushSList
GetLastError
SetLastError
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameW
HeapFree
HeapAlloc
LCMapStringW
GetStdHandle
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
FlushFileBuffers
WriteFile
GetConsoleCP
GetConsoleMode
SetStdHandle
GetFileSizeEx
SetFilePointerEx
GetStringTypeW
HeapSize
HeapReAlloc
CloseHandle
CreateFileW
WriteConsoleW
DecodePointer

Exports

Exports

Meanletter

Sections

.text
Size: 233KB - Virtual size: 233KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 90KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 373KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9
.exe windows x86

e4e0ea0662d52244c535e0fd3b19eb00

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentDirectoryA
WaitForMultipleObjectsEx
GetCommandLineA
TlsSetValue
SearchPathW
SearchPathW
SleepEx
FindFirstFileA
CloseHandle
SearchPathW
GetShortPathNameA
VirtualAlloc
CreateMailslotW
CopyFileW
LoadLibraryA
GetACP
SearchPathW
SetEvent
SearchPathW
SearchPathW
SearchPathW
CreateJobObjectW
SearchPathW
SleepEx
SearchPathW
RemoveDirectoryA
LoadLibraryExA
SetLocalTime

untfs

Extend
Format
FormatEx

Sections

.text
Size: 131KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.kdata
Size: 1024B - Virtual size: 688B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8
.dll regsvr32 windows x86

592c8c97e3aea7f416681fd475fbb664

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentDirectoryA
GetCurrentProcessId
GetLastError
GetTempPathA

Exports

Exports

DllRegisterServer

Sections

.text
Size: 103KB - Virtual size: 102KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Signatures

Files

9217a44a86a3f5ea87d2259a5905279d

Code Sign

5c:5e:30:13:88:9c:78:53:ba:55:7a:c9:0f:39:8e:84Certificate

Extended Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

3d:1a:35:72:30:15:82:63:30:d0:13:71:7e:82:41:08Certificate

Extended Key Usages

Key Usages

ba:64:fd:71:8c:87:96:c2:f7:59:64:5e:52:0d:72:50:c3:01:1e:c4Signer

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

Sections

.text Size: 3KB - Virtual size: 2KB

.rdata6 Size: 512B - Virtual size: 100B

.rdata5 Size: 10KB - Virtual size: 9KB

.rdata4 Size: 10KB - Virtual size: 9KB

.rdata3 Size: 350KB - Virtual size: 350KB

.data Size: 1024B - Virtual size: 764B

.rsrc Size: 189KB - Virtual size: 188KB

.reloc Size: 512B - Virtual size: 368B

4cd5ad0d950a17d16594ac7f683f928a

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 271KB - Virtual size: 270KB

.rdata Size: 146KB - Virtual size: 146KB

.data Size: 62KB - Virtual size: 441KB

.rsrc Size: 1024B - Virtual size: 864B

.reloc Size: 11KB - Virtual size: 11KB

3709c0427e1da1b41889cce9e54378a6

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Exports

Exports

Sections

.text Size: 233KB - Virtual size: 233KB

.rdata Size: 90KB - Virtual size: 89KB

.data Size: 13KB - Virtual size: 373KB

.gfids Size: 512B - Virtual size: 276B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 5KB - Virtual size: 5KB

e4e0ea0662d52244c535e0fd3b19eb00

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

untfs

Sections

.text Size: 131KB - Virtual size: 131KB

.kdata Size: 1024B - Virtual size: 688B

.bdata Size: 1KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 864B

.reloc Size: 3KB - Virtual size: 3KB

592c8c97e3aea7f416681fd475fbb664

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

5c:5e:30:13:88:9c:78:53:ba:55:7a:c9:0f:39:8e:84
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

3d:1a:35:72:30:15:82:63:30:d0:13:71:7e:82:41:08
Certificate

ba:64:fd:71:8c:87:96:c2:f7:59:64:5e:52:0d:72:50:c3:01:1e:c4
Signer

.text
Size: 3KB - Virtual size: 2KB

.rdata6
Size: 512B - Virtual size: 100B

.rdata5
Size: 10KB - Virtual size: 9KB

.rdata4
Size: 10KB - Virtual size: 9KB

.rdata3
Size: 350KB - Virtual size: 350KB

.data
Size: 1024B - Virtual size: 764B

.rsrc
Size: 189KB - Virtual size: 188KB

.reloc
Size: 512B - Virtual size: 368B

.text
Size: 271KB - Virtual size: 270KB

.rdata
Size: 146KB - Virtual size: 146KB

.data
Size: 62KB - Virtual size: 441KB

.rsrc
Size: 1024B - Virtual size: 864B

.reloc
Size: 11KB - Virtual size: 11KB

.text
Size: 233KB - Virtual size: 233KB

.rdata
Size: 90KB - Virtual size: 89KB

.data
Size: 13KB - Virtual size: 373KB

.gfids
Size: 512B - Virtual size: 276B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 5KB - Virtual size: 5KB

.text
Size: 131KB - Virtual size: 131KB

.kdata
Size: 1024B - Virtual size: 688B

.bdata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 864B

.reloc
Size: 3KB - Virtual size: 3KB

.text
Size: 103KB - Virtual size: 102KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 2KB - Virtual size: 12KB

.reloc
Size: 2KB - Virtual size: 2KB