Overview

overview

10

Static

static

9

023f1ef0cc...82.exe

windows7-x64

10

023f1ef0cc...82.exe

windows10-2004-x64

10

Resubmissions

15-11-2023 11:10

231115-m96hzsgb22 10

02-05-2022 23:45

220502-3rtpgaeghq 10

Analysis

  • max time kernel
    1157s
  • max time network
    1163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2023 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe

  • Size

    2.6MB

  • MD5

    fb95561e8ed7289d015e945ad470e6db

  • SHA1

    03573bc869701cffd7c96e223633d46b0a23823a

  • SHA256

    023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82

  • SHA512

    2a0bf4048c1a9eca9e13566b1512403b51462c8eb71cfb273225fbc221aa156a3d3eb571fa5328ff2f4e2ef7026b3e8847f0c0a739d8f989ba716efa411821a6

  • SSDEEP

    6144:sTlCgffOYPE99pqcLE9zn0HJGsfb7cwhl7e/:sJfWP9p1Lgzmbgye/

Score
10/10
zloaderpreffprefbotnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

pref

Campaign

fpref

C2

http://penaz.info/gate.php

http://
advokat-hodonin.info/gate.php
Attributes
  • build_id

    7

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 47 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe
    "C:\Users\Admin\AppData\Local\Temp\023f1ef0cc2c1e055b05ae1ff5bcc6bf2421003dea227aeb6d70c8a525fa3b82.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      2⤵
      • Adds Run key to start application
      • Blocklisted process makes network request
      • Suspicious use of AdjustPrivilegeToken
      PID:4336
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:2628
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
      Filesize

      16KB

      MD5

      c228ca3dafb1bf77b28cc1f095c02d11

      SHA1

      e50917ef6f7917986b25607e56f07b77bbcb2db4

      SHA256

      246d8d86cad33ccfac2848b9bbd40d19dd5b4300abefc5c5580b82a27b212d8f

      SHA512

      4c9cb111bb7e548277f4589dde28915a1fb7c14dd000eefdcbb46f8d28b77870a30c86d65103e9ec6c3ff3ddc4661ecd9522bf7a9b97b31030f8a5359bf5a089

      Download Submit

    • memory/864-0-0x0000000000770000-0x000000000079E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/864-1-0x0000000000400000-0x000000000069F000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/864-5-0x0000000000400000-0x000000000069F000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/864-7-0x0000000000400000-0x000000000069F000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/1656-48-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-52-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-11-0x0000028FDF640000-0x0000028FDF650000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-27-0x0000028FDF740000-0x0000028FDF750000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1656-43-0x0000028FE7D30000-0x0000028FE7D31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-44-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-45-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-46-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-47-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-79-0x0000028FE7BD0000-0x0000028FE7BD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-49-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-50-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-51-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-78-0x0000028FE7AC0000-0x0000028FE7AC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-53-0x0000028FE7D50000-0x0000028FE7D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-54-0x0000028FE7980000-0x0000028FE7981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-55-0x0000028FE7970000-0x0000028FE7971000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-57-0x0000028FE7980000-0x0000028FE7981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-60-0x0000028FE7970000-0x0000028FE7971000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-63-0x0000028FE78B0000-0x0000028FE78B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-77-0x0000028FE7AC0000-0x0000028FE7AC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1656-75-0x0000028FE7AB0000-0x0000028FE7AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4336-6-0x0000000000F20000-0x0000000000F52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4336-10-0x0000000000F20000-0x0000000000F52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4336-8-0x0000000000F20000-0x0000000000F52000-memory.dmp

      Filesize

      200KB

      Download