zloader | f97954d9c80dbfee223fb704863c5a156912f450eee2d0510af6301dfd919f09

Resubmissions

31-10-2023 09:03

07-07-2021 20:04

max time kernel
1683s
max time network
1701s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2023 09:03

Target

favicon.dll
Size

646KB
MD5

1d700b208c65ca26efe5fa4be4749569
SHA1

3deeff224b359ca2b28a841a116b84b783206adc
SHA256

f97954d9c80dbfee223fb704863c5a156912f450eee2d0510af6301dfd919f09
SHA512

8c5bcbdf35f4e3ad1177d98b0944b1ec9f407a7bd537af5ecd8e5aad37a67c4c46748bfbe165b4edb6348324e4b97d26a6e1af0007f458c3f697a6757cb05d92
SSDEEP

12288:A1Xiy+UrnWHWzB2nWSgg6Uyan4jN3PMLYHBlIfNGwOF4IurIU+ls:JlUKQgWfg6qkHMOF8IU

Score

10^/10

Family

zloader

Botnet

mk1

Campaign

mac2

https://dssdffsdf.drld/mm.php

Attributes

rc4.plain

rsa_pubkey.plain

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1328 created 3132 1328 rundll32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

92 184 msiexec.exe
95 184 msiexec.exe
97 184 msiexec.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1328 set thread context of 184 1328 rundll32.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1328 rundll32.exe
1328 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rundll32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1328 rundll32.exe
Token: SeSecurityPrivilege 184 msiexec.exe
Token: SeSecurityPrivilege 184 msiexec.exe

description	pid	process	target process
PID 1328 created 3132	1328	rundll32.exe	Explorer.EXE

description	pid	process	target process
PID 1328 set thread context of 184	1328	rundll32.exe	msiexec.exe

pid	process
1328	rundll32.exe
1328	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2312 wrote to memory of 1328	2312	rundll32.exe	rundll32.exe
PID 2312 wrote to memory of 1328	2312	rundll32.exe	rundll32.exe
PID 2312 wrote to memory of 1328	2312	rundll32.exe	rundll32.exe
PID 1328 wrote to memory of 184	1328	rundll32.exe	msiexec.exe
PID 1328 wrote to memory of 184	1328	rundll32.exe	msiexec.exe
PID 1328 wrote to memory of 184	1328	rundll32.exe	msiexec.exe
PID 1328 wrote to memory of 184	1328	rundll32.exe	msiexec.exe
PID 1328 wrote to memory of 184	1328	rundll32.exe	msiexec.exe

memory/184-12-0x0000000001040000-0x000000000106D000-memory.dmp

Filesize
180KB

Download
memory/184-16-0x0000000001040000-0x000000000106D000-memory.dmp

Filesize
180KB

Download
memory/184-17-0x0000000001040000-0x000000000106D000-memory.dmp

Filesize
180KB

Download
memory/1328-0-0x0000000074F40000-0x000000007507F000-memory.dmp

Filesize
1.2MB

Download
memory/1328-1-0x0000000074F40000-0x000000007507F000-memory.dmp

Filesize
1.2MB

Download
memory/1328-2-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/1328-3-0x0000000074F40000-0x000000007507F000-memory.dmp

Filesize
1.2MB

Download
memory/1328-4-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/1328-13-0x0000000074F40000-0x000000007507F000-memory.dmp

Filesize
1.2MB

Download