zloader | 76f4db4f373809a4dba455b3370a049295e711f635fa4c070790e1cb907e31a6

Resubmissions

03-08-2023 07:52

230803-jqkwdsca99 10

27-07-2023 11:24

26-12-2022 13:39

26-12-2022 13:39

26-12-2022 13:38

26-12-2022 13:38

Analysis

max time kernel
1692s
max time network
1755s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03-08-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll
Size

493KB
MD5

efddc2807ecbdffd694cd97936404053
SHA1

c68b7b94e591fbc4cda9bdb8c2caaa33880464c7
SHA256

830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46
SHA512

e6b0fd0f52c5b7e82bb66d08c4a3f8a4bddf1ce75c140e73afb4c1f57131df81e5d39f7833de15b40e980f0605bfd1840f81b610134634db000f6e18388bf09a
SSDEEP

12288:WsCr6MfAEtHaqxnXmtkl0CMh+1wY7JuegO4I9y:Wsi6MBtHBzlRMg1wY34I9y

Score

10^/10

zloader nut 18/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

18/02

https://ramkanshop.ir/post.php

https://lph786.com/post.php

https://efaschoolfarooka.com/post.php

https://forexstick.com/post.php

https://firteccom.com/post.php

https://www.psychologynewmind.com/post.php

https://dirashightapbide.tk/post.php

Attributes

build_id
358

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

flow	pid	Process
14	2352	msiexec.exe
15	2352	msiexec.exe
16	2352	msiexec.exe
17	2352	msiexec.exe
18	2352	msiexec.exe
19	2352	msiexec.exe
20	2352	msiexec.exe
21	2352	msiexec.exe
22	2352	msiexec.exe
23	2352	msiexec.exe
24	2352	msiexec.exe
25	2352	msiexec.exe
26	2352	msiexec.exe
27	2352	msiexec.exe
28	2352	msiexec.exe
29	2352	msiexec.exe
30	2352	msiexec.exe
31	2352	msiexec.exe
32	2352	msiexec.exe
33	2352	msiexec.exe
34	2352	msiexec.exe
36	2352	msiexec.exe
37	2352	msiexec.exe
38	2352	msiexec.exe
40	2352	msiexec.exe
42	2352	msiexec.exe
44	2352	msiexec.exe
50	2352	msiexec.exe
59	2352	msiexec.exe
60	2352	msiexec.exe
61	2352	msiexec.exe
62	2352	msiexec.exe
63	2352	msiexec.exe
64	2352	msiexec.exe
65	2352	msiexec.exe
66	2352	msiexec.exe
67	2352	msiexec.exe
68	2352	msiexec.exe
69	2352	msiexec.exe
70	2352	msiexec.exe
71	2352	msiexec.exe
72	2352	msiexec.exe
73	2352	msiexec.exe
74	2352	msiexec.exe
75	2352	msiexec.exe
76	2352	msiexec.exe
77	2352	msiexec.exe
78	2352	msiexec.exe
79	2352	msiexec.exe
81	2352	msiexec.exe
82	2352	msiexec.exe
83	2352	msiexec.exe
84	2352	msiexec.exe
86	2352	msiexec.exe
88	2352	msiexec.exe
98	2352	msiexec.exe
99	2352	msiexec.exe
100	2352	msiexec.exe
101	2352	msiexec.exe
102	2352	msiexec.exe
103	2352	msiexec.exe
104	2352	msiexec.exe
105	2352	msiexec.exe
106	2352	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2352	2576	rundll32.exe	31

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2352	msiexec.exe
Token: SeSecurityPrivilege	2352	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2576	2400	rundll32.exe	28
PID 2400 wrote to memory of 2576	2400	rundll32.exe	28
PID 2400 wrote to memory of 2576	2400	rundll32.exe	28
PID 2400 wrote to memory of 2576	2400	rundll32.exe	28
PID 2400 wrote to memory of 2576	2400	rundll32.exe	28
PID 2400 wrote to memory of 2576	2400	rundll32.exe	28
PID 2400 wrote to memory of 2576	2400	rundll32.exe	28
PID 2576 wrote to memory of 2352	2576	rundll32.exe	31
PID 2576 wrote to memory of 2352	2576	rundll32.exe	31
PID 2576 wrote to memory of 2352	2576	rundll32.exe	31
PID 2576 wrote to memory of 2352	2576	rundll32.exe	31
PID 2576 wrote to memory of 2352	2576	rundll32.exe	31
PID 2576 wrote to memory of 2352	2576	rundll32.exe	31
PID 2576 wrote to memory of 2352	2576	rundll32.exe	31
PID 2576 wrote to memory of 2352	2576	rundll32.exe	31
PID 2576 wrote to memory of 2352	2576	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
272dc06afcdd95a3da7304352fb2e429

SHA1
7eba44922a6b7a26d952315536f4e9e7b03272a7

SHA256
b96170d8712b866b6e6d0a5726c8ccd20e8a9d6a32ff83cf052de889b02c3105

SHA512
e2ed728cdc35397c436d162aa42a8ceeddee016640ee21e69576a68edc78041bd955cfb1d1a9934ca1cd216bdec2e0f50ec301beabaab71dfa1c07830163b9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\post[1].htm

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab677C.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar67BD.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2352-58-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2352-60-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2352-62-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2352-64-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2352-66-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2352-67-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2352-69-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2576-63-0x00000000750F0000-0x00000000751CD000-memory.dmp

Filesize
884KB

Download
memory/2576-55-0x00000000750F0000-0x00000000751CD000-memory.dmp

Filesize
884KB

Download
memory/2576-57-0x00000000750F0000-0x00000000751CD000-memory.dmp

Filesize
884KB

Download
memory/2576-56-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2576-54-0x00000000750F0000-0x00000000751CD000-memory.dmp

Filesize
884KB

Download