Overview

overview

10

Static

static

3

890eacb1a4...c8.dll

windows7-x64

10

Resubmissions

10-08-2023 17:07

230810-vmzqxsfe66 10

10-08-2023 16:28

230810-tym1tsfa36 10

01-02-2022 09:54

220201-lxap4sceap 10

Analysis

  • max time kernel
    1190s
  • max time network
    1201s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2023 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    890eacb1a49d606586eb585ee0738f55ac76fb3a175016ad627532425ee19dc8.dll

  • Size

    251KB

  • MD5

    4c35bc0bb978ae5273a27c7882483eb4

  • SHA1

    e5fb5c5c523e872db6ffd03428f5c0dc74cc9192

  • SHA256

    890eacb1a49d606586eb585ee0738f55ac76fb3a175016ad627532425ee19dc8

  • SHA512

    03154958d83f22969e2967425c35c30bd3a402073819cbea4583f147fecae8ca28281f6c4af5c4c883c3d71e2d272dba066f7b524bf185e512f1092e2db520ee

  • SSDEEP

    3072:i0WgIwbSN7hT/MO4005Cs//ubGAVsyGTqD58Vf2TIoe/vW/hDGvRR/ib10CEjq1v:0gIwatT/3w0zVsyGTQ8eTmDbC1rBFak

Score
10/10
zloaderspambzmanbotnettrojan

Malware Config

Extracted

Family

zloader

Botnet

spam

Campaign

BZMAN

C2

https://stoutorder.xyz/rest.php

Attributes
  • build_id

    3

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\890eacb1a49d606586eb585ee0738f55ac76fb3a175016ad627532425ee19dc8.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\890eacb1a49d606586eb585ee0738f55ac76fb3a175016ad627532425ee19dc8.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1904-54-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1904-55-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1904-56-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1904-68-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2900-65-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2900-63-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2900-67-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2900-69-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2900-71-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2900-72-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2900-73-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2900-74-0x0000000000090000-0x00000000000BC000-memory.dmp

    Filesize

    176KB

    Download