zloader | 0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5

Resubmissions

10-08-2023 16:28

230810-tyxv2afa37 10

04-10-2021 11:41

211004-ntvbfsgceq 10

Analysis

max time kernel
1790s
max time network
1802s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10-08-2023 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe
Size

146KB
MD5

b42aa0c217dfeb5a86f140afa512a2c1
SHA1

575ebd278b6104dd2cc9f3871ada6cfd61c3a8f7
SHA256

0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5
SHA512

14e0681a733aa812303c241aa38d13d33b1f9817d8bef6ad0c9b6a423ae433633772021244c17bac278468fca508a76dfd9c64993d89df69b6317f2be21707a6
SSDEEP

3072:BHIbLRDJ1YGzRXczG9Nw5pwfhcMVd8v86jdbG42UO5LXrMUJKKMEK62Yi:BHcLRDz/czG9Mp2hcGd8vvjFG42PhMzi

Score

10^/10

zloader -dan web7-dan botnet persistence trojan

Malware Config

Extracted

Family

zloader

Botnet

-dan

Campaign

web7-dan

https://45.72.3.132/web7643/gate.php

Attributes

build_id
929195383

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 28 IoCs

flow	pid	Process
3	2820	msiexec.exe
5	2820	msiexec.exe
7	2820	msiexec.exe
9	2820	msiexec.exe
10	2820	msiexec.exe
12	2820	msiexec.exe
13	2820	msiexec.exe
14	2820	msiexec.exe
15	2820	msiexec.exe
16	2820	msiexec.exe
18	2820	msiexec.exe
19	2820	msiexec.exe
20	2820	msiexec.exe
21	2820	msiexec.exe
22	2820	msiexec.exe
24	2820	msiexec.exe
25	2820	msiexec.exe
26	2820	msiexec.exe
27	2820	msiexec.exe
28	2820	msiexec.exe
30	2820	msiexec.exe
31	2820	msiexec.exe
32	2820	msiexec.exe
33	2820	msiexec.exe
34	2820	msiexec.exe
36	2820	msiexec.exe
37	2820	msiexec.exe
38	2820	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ycho = "C:\\Users\\Admin\\AppData\\Roaming\\Fucyga\\fuegb.exe"	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2820	msiexec.exe
Token: SeSecurityPrivilege	2820	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28
PID 1912 wrote to memory of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28
PID 1912 wrote to memory of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28
PID 1912 wrote to memory of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28
PID 1912 wrote to memory of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28
PID 1912 wrote to memory of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28
PID 1912 wrote to memory of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28
PID 1912 wrote to memory of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28
PID 1912 wrote to memory of 2820	1912	0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe	28

C:\Users\Admin\AppData\Local\Temp\0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe
"C:\Users\Admin\AppData\Local\Temp\0c1b74345e0300233db0396f78ca121e7589deda31b7bc455baa476274e3f2e5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-54-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/2820-55-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2820-57-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/2820-59-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/2820-60-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads