zloader | 76f4db4f373809a4dba455b3370a049295e711f635fa4c070790e1cb907e31a6

Resubmissions

03-08-2023 07:52

230803-jqkwdsca99 10

27-07-2023 11:24

26-12-2022 13:39

26-12-2022 13:39

26-12-2022 13:38

26-12-2022 13:38

Analysis

max time kernel
1799s
max time network
1803s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03-08-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
Size

345KB
MD5

adba2ac8f027946da258155b140c068a
SHA1

91b1dceb17403910d7aa9bee1029f11153accff4
SHA256

b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279
SHA512

356865ecaf00b10af50ec1f7ffdcc89249e1eaf2a1648c970393d7c66359e578ce9d6987f66dc49cb769e36e8ea62c4ff17d6b173bc793b61fa81e11e619229f
SSDEEP

6144:q9xZILKtmfbcPK2U6gRURSxE8efnQe+R+FNHmZ04aR31cdpN0V:q9xZIL1bcPRUrURAOn8gTGCPMwV

Score

10^/10

zloader nut 16/02 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

16/02

https://wewalk.cl/post.php

https://dpack-co.com/post.php

https://dr-mirahmadi.ir/post.php

https://indiaastrologyfoundation.in/post.php

https://metisacademy.ir/post.php

https://lan-samarinda.com/post.php

https://pyouleigorgawimbwans.tk/post.php

Attributes

build_id
351

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 64 IoCs

flow	pid	Process
18	2984	msiexec.exe
20	2984	msiexec.exe
22	2984	msiexec.exe
23	2984	msiexec.exe
24	2984	msiexec.exe
25	2984	msiexec.exe
26	2984	msiexec.exe
27	2984	msiexec.exe
29	2984	msiexec.exe
30	2984	msiexec.exe
31	2984	msiexec.exe
32	2984	msiexec.exe
33	2984	msiexec.exe
34	2984	msiexec.exe
35	2984	msiexec.exe
36	2984	msiexec.exe
37	2984	msiexec.exe
38	2984	msiexec.exe
39	2984	msiexec.exe
40	2984	msiexec.exe
41	2984	msiexec.exe
42	2984	msiexec.exe
43	2984	msiexec.exe
44	2984	msiexec.exe
45	2984	msiexec.exe
46	2984	msiexec.exe
47	2984	msiexec.exe
48	2984	msiexec.exe
49	2984	msiexec.exe
50	2984	msiexec.exe
51	2984	msiexec.exe
52	2984	msiexec.exe
54	2984	msiexec.exe
63	2984	msiexec.exe
65	2984	msiexec.exe
66	2984	msiexec.exe
67	2984	msiexec.exe
68	2984	msiexec.exe
69	2984	msiexec.exe
70	2984	msiexec.exe
71	2984	msiexec.exe
72	2984	msiexec.exe
73	2984	msiexec.exe
74	2984	msiexec.exe
75	2984	msiexec.exe
76	2984	msiexec.exe
77	2984	msiexec.exe
78	2984	msiexec.exe
79	2984	msiexec.exe
80	2984	msiexec.exe
81	2984	msiexec.exe
82	2984	msiexec.exe
83	2984	msiexec.exe
84	2984	msiexec.exe
85	2984	msiexec.exe
86	2984	msiexec.exe
87	2984	msiexec.exe
88	2984	msiexec.exe
89	2984	msiexec.exe
90	2984	msiexec.exe
91	2984	msiexec.exe
92	2984	msiexec.exe
93	2984	msiexec.exe
94	2984	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 2984	2012	rundll32.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2984	msiexec.exe
Token: SeSecurityPrivilege	2984	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2012	860	rundll32.exe	28
PID 860 wrote to memory of 2012	860	rundll32.exe	28
PID 860 wrote to memory of 2012	860	rundll32.exe	28
PID 860 wrote to memory of 2012	860	rundll32.exe	28
PID 860 wrote to memory of 2012	860	rundll32.exe	28
PID 860 wrote to memory of 2012	860	rundll32.exe	28
PID 860 wrote to memory of 2012	860	rundll32.exe	28
PID 2012 wrote to memory of 2984	2012	rundll32.exe	29
PID 2012 wrote to memory of 2984	2012	rundll32.exe	29
PID 2012 wrote to memory of 2984	2012	rundll32.exe	29
PID 2012 wrote to memory of 2984	2012	rundll32.exe	29
PID 2012 wrote to memory of 2984	2012	rundll32.exe	29
PID 2012 wrote to memory of 2984	2012	rundll32.exe	29
PID 2012 wrote to memory of 2984	2012	rundll32.exe	29
PID 2012 wrote to memory of 2984	2012	rundll32.exe	29
PID 2012 wrote to memory of 2984	2012	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:2984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4446FC12B68E1A179B3B0CE6496080AE

Filesize
1KB

MD5
2ac72be869168b36fd74e93016e11e3b

SHA1
ff9ceb13c83f15b800e6eff987b2c72e01b4b320

SHA256
129fb5de501e24041cd14a81075fd1cde257408d4a353e636912e38bdda2d3fb

SHA512
691ab3144879b757bb24299bb68a485bcc285ff8f16f590d7bf9ddc930f65cbc99da33f349288ad2242faf26b2af33c2592afc6b65ab6850bffe8dee20274247

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

Filesize
959B

MD5
d5e98140c51869fc462c8975620faa78

SHA1
07e032e020b72c3f192f0628a2593a19a70f069e

SHA256
5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e

SHA512
9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4446FC12B68E1A179B3B0CE6496080AE

Filesize
198B

MD5
3e46d946473ec21515e6221de018cb8b

SHA1
377e1680db424f6ad1c6dc98742664108ee3cc59

SHA256
56a88ee7f3b525dfacb35b02b60201a07613fc19ef2523f5452148f7cd2f6624

SHA512
066ce5ceb8b21b1b4786110d71e22b13b537277ff08b266d58880fc41909a12d8b470519fa93ebac4a6937e82c1000531f1bff1aa8592f645d351044137a30fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

Filesize
192B

MD5
e4cab7415fc18e887774ee39b54e57eb

SHA1
9d51e8e707e4b49e2f168bbee54428840f586535

SHA256
6d75dde251355dbd9f98a3c76117e27e0dd13ab4bcdccc171f206fc11a2e8c28

SHA512
5bda0534890413535d58ddbec9d3a62e4d35f8e83bb7b6a76c77be7451961048ad890edd241edb1d93e1a091ccecab9ae27d3a207ed5f2f844619c0c7f322ccf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7219f42465bb87c3e566f4bcb6fb5ff5

SHA1
399f8cc3145adcf4d54b0913c8299ff0d6aee209

SHA256
fcecaac50d8e8a41fb745492960ff05d1c2ab914a2a8510122afd74409cf2ebe

SHA512
f1cd0d459ef00b544c9c926ec09f563b989e08707e827d90fc242caf1ecf1197b1995ca2a0d321311536d18eba77df17a8f5f0c021503531aeeae08bacc1eb7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
47599d214c16b39cb73126e91b5da059

SHA1
8942f0a713b27911ca1bf565496ca4a93bed0af3

SHA256
569a6117370fbc527c570568af2e57952256dd152d9791286c5348d820cdb155

SHA512
849d7c6bfe0670ee0812ad6ca84f25c0d0baf3c3522f057dae6ea884667771a5d18b40245aaadaea1d3bf376a82b18877bb8ceb7a03d6cb7c4a5adc082ee0789

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33E.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar360.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2012-56-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2012-55-0x0000000074400000-0x00000000744B5000-memory.dmp

Filesize
724KB

Download
memory/2012-54-0x0000000074400000-0x00000000744B5000-memory.dmp

Filesize
724KB

Download
memory/2012-62-0x0000000074400000-0x00000000744B5000-memory.dmp

Filesize
724KB

Download
memory/2984-61-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2984-68-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2984-67-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2984-66-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2984-65-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2984-63-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2984-59-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2984-57-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download