zloader | 76f4db4f373809a4dba455b3370a049295e711f635fa4c070790e1cb907e31a6

Resubmissions

03-08-2023 07:52

230803-jqkwdsca99 10

27-07-2023 11:24

26-12-2022 13:39

26-12-2022 13:39

26-12-2022 13:38

26-12-2022 13:38

Analysis

max time kernel
1799s
max time network
1637s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03-08-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe
Size

139KB
MD5

d91b498e5fc6c91e1e86b339407b58f7
SHA1

369e3c4646a69b99a797e0e288fd3145e2a6f35a
SHA256

cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9
SHA512

b981f7c4857327708233bf7e44bfb485c1cc7148ca850a63b12f854215edb583f5a499109d67b94f213226d23d0f4e0e5d04b888193fa5e799e30f051e9c9dbd
SSDEEP

3072:XBkH2At/3YyzX2OpphkGYI+C9AwcOZBJ7zk:n6/IAFkCDc+BJ7w

Score

10^/10

zloader vlenie10 obnova10 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

vlenie10

Campaign

obnova10

https://kdsidsiadsakfsas.com/gate.php

https://jdafiasfjsafahhfs.com/gate.php

https://dasifosafjasfhasf.com/gate.php

https://kasfajfsafhasfhaf.com/gate.php

https://fdsjfjdsfjdsjfdjsfh.com/gate.php

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

Attributes

build_id
1869505135

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 28 IoCs

flow	pid	Process
15	2020	msiexec.exe
17	2020	msiexec.exe
19	2020	msiexec.exe
21	2020	msiexec.exe
23	2020	msiexec.exe
25	2020	msiexec.exe
27	2020	msiexec.exe
30	2020	msiexec.exe
31	2020	msiexec.exe
32	2020	msiexec.exe
33	2020	msiexec.exe
35	2020	msiexec.exe
38	2020	msiexec.exe
39	2020	msiexec.exe
40	2020	msiexec.exe
41	2020	msiexec.exe
42	2020	msiexec.exe
45	2020	msiexec.exe
52	2020	msiexec.exe
55	2020	msiexec.exe
56	2020	msiexec.exe
57	2020	msiexec.exe
58	2020	msiexec.exe
61	2020	msiexec.exe
63	2020	msiexec.exe
64	2020	msiexec.exe
65	2020	msiexec.exe
66	2020	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uhdyofe = "C:\\Users\\Admin\\AppData\\Roaming\\Bufogu\\ebohfieg.exe"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2020	msiexec.exe
Token: SeSecurityPrivilege	2020	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30
PID 2572 wrote to memory of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30
PID 2572 wrote to memory of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30
PID 2572 wrote to memory of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30
PID 2572 wrote to memory of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30
PID 2572 wrote to memory of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30
PID 2572 wrote to memory of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30
PID 2572 wrote to memory of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30
PID 2572 wrote to memory of 2020	2572	cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe	30

C:\Users\Admin\AppData\Local\Temp\cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe
"C:\Users\Admin\AppData\Local\Temp\cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ddcc727a1c82325c6c4cefd9ed768ee6

SHA1
8fd0dbb4a4bf03fc2077f0ea91fb7f2b69ab9f32

SHA256
276996bf90fc018564fb89929a01d4bb227cd16a03ce583b8091f3ad7abcd21e

SHA512
648a350c5dba617cf30d29aab3c05e8143342bbed6c0f472d12dc19e4fd6888f999f0d1473b9a777a02be4e598ea8ae2ab3774283546a4731fb3967dbfd0dea7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7dcb729cf5fcfaadbd65f8421ec598e2

SHA1
a4afc02250391bfd2d322fd2e70cb84cc91ccff3

SHA256
d32526278ee7e1e723f6f56e1506681d718eca805b5784ff7edccb7a25d55416

SHA512
df4f3ac780c22bc601ec531d8aafd7831489878d7bfa9f38d17fc6af60f4fe37872d02e5fc297429591bbc5702d0b28f7dfe80533503dbaa9398da19ea314162

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1528.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1644.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2020-63-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2020-69-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2020-68-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2020-65-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2020-64-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2572-58-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2572-62-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-55-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2572-57-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2572-56-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads