zloader | 76f4db4f373809a4dba455b3370a049295e711f635fa4c070790e1cb907e31a6

Resubmissions

03-08-2023 07:52

230803-jqkwdsca99 10

27-07-2023 11:24

26-12-2022 13:39

26-12-2022 13:39

26-12-2022 13:38

26-12-2022 13:38

Analysis

max time kernel
1748s
max time network
1753s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll
Size

493KB
MD5

efddc2807ecbdffd694cd97936404053
SHA1

c68b7b94e591fbc4cda9bdb8c2caaa33880464c7
SHA256

830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46
SHA512

e6b0fd0f52c5b7e82bb66d08c4a3f8a4bddf1ce75c140e73afb4c1f57131df81e5d39f7833de15b40e980f0605bfd1840f81b610134634db000f6e18388bf09a
SSDEEP

12288:WsCr6MfAEtHaqxnXmtkl0CMh+1wY7JuegO4I9y:Wsi6MBtHBzlRMg1wY34I9y

Score

10^/10

zloader nut 18/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

18/02

https://ramkanshop.ir/post.php

https://lph786.com/post.php

https://efaschoolfarooka.com/post.php

https://forexstick.com/post.php

https://firteccom.com/post.php

https://www.psychologynewmind.com/post.php

https://dirashightapbide.tk/post.php

Attributes

build_id
358

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 41 IoCs

flow	pid	Process
63	572	msiexec.exe
64	572	msiexec.exe
66	572	msiexec.exe
67	572	msiexec.exe
68	572	msiexec.exe
69	572	msiexec.exe
71	572	msiexec.exe
88	572	msiexec.exe
99	572	msiexec.exe
100	572	msiexec.exe
101	572	msiexec.exe
102	572	msiexec.exe
103	572	msiexec.exe
104	572	msiexec.exe
105	572	msiexec.exe
112	572	msiexec.exe
120	572	msiexec.exe
121	572	msiexec.exe
122	572	msiexec.exe
123	572	msiexec.exe
124	572	msiexec.exe
125	572	msiexec.exe
126	572	msiexec.exe
133	572	msiexec.exe
135	572	msiexec.exe
237	572	msiexec.exe
238	572	msiexec.exe
239	572	msiexec.exe
240	572	msiexec.exe
241	572	msiexec.exe
242	572	msiexec.exe
243	572	msiexec.exe
250	572	msiexec.exe
257	572	msiexec.exe
258	572	msiexec.exe
259	572	msiexec.exe
260	572	msiexec.exe
261	572	msiexec.exe
262	572	msiexec.exe
263	572	msiexec.exe
270	572	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 572	1908	rundll32.exe	94

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	572	msiexec.exe
Token: SeSecurityPrivilege	572	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 1908	2884	rundll32.exe	85
PID 2884 wrote to memory of 1908	2884	rundll32.exe	85
PID 2884 wrote to memory of 1908	2884	rundll32.exe	85
PID 1908 wrote to memory of 572	1908	rundll32.exe	94
PID 1908 wrote to memory of 572	1908	rundll32.exe	94
PID 1908 wrote to memory of 572	1908	rundll32.exe	94
PID 1908 wrote to memory of 572	1908	rundll32.exe	94
PID 1908 wrote to memory of 572	1908	rundll32.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\42JDD8EA\post[1].htm

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
memory/572-136-0x0000000000B40000-0x0000000000B69000-memory.dmp

Filesize
164KB

Download
memory/572-139-0x0000000000B40000-0x0000000000B69000-memory.dmp

Filesize
164KB

Download
memory/572-140-0x0000000000B40000-0x0000000000B69000-memory.dmp

Filesize
164KB

Download
memory/1908-133-0x0000000075830000-0x000000007590D000-memory.dmp

Filesize
884KB

Download
memory/1908-135-0x0000000075830000-0x000000007590D000-memory.dmp

Filesize
884KB

Download
memory/1908-134-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1908-137-0x0000000075830000-0x000000007590D000-memory.dmp

Filesize
884KB

Download