zloader | 76f4db4f373809a4dba455b3370a049295e711f635fa4c070790e1cb907e31a6

Resubmissions

03-08-2023 07:52

230803-jqkwdsca99 10

27-07-2023 11:24

26-12-2022 13:39

26-12-2022 13:39

26-12-2022 13:38

26-12-2022 13:38

Analysis

max time kernel
1583s
max time network
1648s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03-08-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
Size

111KB
MD5

e3564138588cba04c873bd054458f8b9
SHA1

157ec7421e1333b714d01a750b6d5d6517a92c45
SHA256

e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8
SHA512

2a2e8ce45a928bcffdb40ebf6559c1f071bb3feccfd9cfe355e593acb559ecf84858cf4474708d311317ab08b3f981eba7c8b80dceae973839a0eec9049665c8
SSDEEP

1536:3ui/9Xb791Wff4K84oeRnobxxm2ShclQaLMin8F5vAC+WEQbAmTjTpeyv0+gPzff:H/J7jWHT/oegcaQF5XEgHbpeyvfgT

Score

10^/10

zloader dllobnova 1017 botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

1017

https://fdsjfjdsfjdsjfdjsfh.com/gate.php

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

https://dsdjfhdsufudhjas.info/gate.php

https://fdsjfjdsfjdsdsjajjs.info/gate.php

https://idisaudhasdhasdj.info/gate.php

Attributes

build_id
28

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 51 IoCs

flow	pid	Process
7	2316	msiexec.exe
9	2316	msiexec.exe
11	2316	msiexec.exe
13	2316	msiexec.exe
15	2316	msiexec.exe
17	2316	msiexec.exe
19	2316	msiexec.exe
21	2316	msiexec.exe
23	2316	msiexec.exe
24	2316	msiexec.exe
26	2316	msiexec.exe
27	2316	msiexec.exe
28	2316	msiexec.exe
29	2316	msiexec.exe
30	2316	msiexec.exe
31	2316	msiexec.exe
32	2316	msiexec.exe
33	2316	msiexec.exe
35	2316	msiexec.exe
36	2316	msiexec.exe
37	2316	msiexec.exe
38	2316	msiexec.exe
39	2316	msiexec.exe
40	2316	msiexec.exe
41	2316	msiexec.exe
43	2316	msiexec.exe
45	2316	msiexec.exe
46	2316	msiexec.exe
47	2316	msiexec.exe
48	2316	msiexec.exe
49	2316	msiexec.exe
50	2316	msiexec.exe
51	2316	msiexec.exe
52	2316	msiexec.exe
54	2316	msiexec.exe
55	2316	msiexec.exe
56	2316	msiexec.exe
57	2316	msiexec.exe
58	2316	msiexec.exe
59	2316	msiexec.exe
60	2316	msiexec.exe
61	2316	msiexec.exe
63	2316	msiexec.exe
64	2316	msiexec.exe
65	2316	msiexec.exe
66	2316	msiexec.exe
67	2316	msiexec.exe
68	2316	msiexec.exe
69	2316	msiexec.exe
70	2316	msiexec.exe
73	2316	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Odifub = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Fyyc\\faegu.dll,DllRegisterServer"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1328 set thread context of 2316	1328	regsvr32.exe	31

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeSecurityPrivilege	2316	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1328	2336	regsvr32.exe	28
PID 2336 wrote to memory of 1328	2336	regsvr32.exe	28
PID 2336 wrote to memory of 1328	2336	regsvr32.exe	28
PID 2336 wrote to memory of 1328	2336	regsvr32.exe	28
PID 2336 wrote to memory of 1328	2336	regsvr32.exe	28
PID 2336 wrote to memory of 1328	2336	regsvr32.exe	28
PID 2336 wrote to memory of 1328	2336	regsvr32.exe	28
PID 1328 wrote to memory of 2316	1328	regsvr32.exe	31
PID 1328 wrote to memory of 2316	1328	regsvr32.exe	31
PID 1328 wrote to memory of 2316	1328	regsvr32.exe	31
PID 1328 wrote to memory of 2316	1328	regsvr32.exe	31
PID 1328 wrote to memory of 2316	1328	regsvr32.exe	31
PID 1328 wrote to memory of 2316	1328	regsvr32.exe	31
PID 1328 wrote to memory of 2316	1328	regsvr32.exe	31
PID 1328 wrote to memory of 2316	1328	regsvr32.exe	31
PID 1328 wrote to memory of 2316	1328	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43f7662734e3d7c4c945df2026bcea91

SHA1
5f16a1f5b400c48db2d7679b3a6ded61890b827f

SHA256
c82f409561343cc1b56606fbc3ba7413bb9a95a7b216afd8d937ef18412146c9

SHA512
166c669eb5ee13afd060b2e64cc20812d4be722b5b8d93e458ddb8deb464036449f914ba9a8130747b063eceec4d1b2ed45ffac4f5a533969f9d31796a7af131

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c06ffad916d98092cc88fe5e4ce5ebaa

SHA1
845307b172c108c96b3de9a834765270b4f2879a

SHA256
c81b55a37090d1f0b9cb461889bc630da933d687a6115d8cfeaa1ea0b4c2c0e1

SHA512
a6c2d1ca6b1303d7dc8a2def8edb87ce68f7393f8d29449265114382642819320ab2a3ea146bc9bb8cd3e6f936df4701c5857b43e770bac8b206563051bcb60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7C24.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D30.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2316-56-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2316-54-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2316-58-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2316-59-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2316-61-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads