zloader | 1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8

Resubmissions

10-08-2023 17:09

230810-vn35qsfe85 10

10-08-2023 16:29

230810-ty96csgg4t 10

07-07-2021 20:32

210707-5mqmkk4eyx 10

Analysis

max time kernel
2606s
max time network
2284s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
10-08-2023 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8.dll
Size

172KB
MD5

2297dee946320ce03b8db35b1ae6462d
SHA1

5958e724e5cceca807531b2b1ea4b18a2a8698dd
SHA256

1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8
SHA512

560b1f80b5e96ae8281bbea2271476a2a38d6c55b231c4e5594d9581cf5cb0bdcfffb1cd02b4aca4249eb0e21b15ee48391c02d7170dfad410ae591243ff5188
SSDEEP

3072:EoUF1YzA5/iJ+PG6qOP3SCmNTxJ43nPNntucoYBqCWCpJw6vS5dTGzpsf4eP4:OQJ2P3nmpxAzoSqBC162feg

Score

10^/10

zloader mk1 mac2 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

mk1

Campaign

mac2

https://dssdffsdf.drld/mm.php

Attributes

build_id
43

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2088 created 1256	2088	regsvr32.exe	13

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 5 IoCs

flow	pid	Process
11	2844	msiexec.exe
13	2844	msiexec.exe
83	2844	msiexec.exe
84	2844	msiexec.exe
86	2844	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 2844	2088	regsvr32.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2088	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	regsvr32.exe
Token: SeSecurityPrivilege	2844	msiexec.exe
Token: SeSecurityPrivilege	2844	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 2088	788	regsvr32.exe	28
PID 788 wrote to memory of 2088	788	regsvr32.exe	28
PID 788 wrote to memory of 2088	788	regsvr32.exe	28
PID 788 wrote to memory of 2088	788	regsvr32.exe	28
PID 788 wrote to memory of 2088	788	regsvr32.exe	28
PID 788 wrote to memory of 2088	788	regsvr32.exe	28
PID 788 wrote to memory of 2088	788	regsvr32.exe	28
PID 2088 wrote to memory of 2844	2088	regsvr32.exe	31
PID 2088 wrote to memory of 2844	2088	regsvr32.exe	31
PID 2088 wrote to memory of 2844	2088	regsvr32.exe	31
PID 2088 wrote to memory of 2844	2088	regsvr32.exe	31
PID 2088 wrote to memory of 2844	2088	regsvr32.exe	31
PID 2088 wrote to memory of 2844	2088	regsvr32.exe	31
PID 2088 wrote to memory of 2844	2088	regsvr32.exe	31
PID 2088 wrote to memory of 2844	2088	regsvr32.exe	31
PID 2088 wrote to memory of 2844	2088	regsvr32.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\1f41fd3e96ef1c1328d08ced03ac5e1b717a45cda8cf94a1c4ffe775e43623b8.dll
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2088
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF163.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCFC3.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2844-54-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/2844-56-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2844-57-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/2844-58-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/2844-60-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/2844-61-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/2844-63-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download