zloader | 783dace9ccb4090a09e4f3a229eeeef14246709e25175b0ce0fe749cd736de55

Resubmissions

15-11-2023 15:23

231115-ssstfsbf48 10

26-10-2020 10:00

201026-ltfyhgt87a 10

26-10-2020 09:57

201026-g5lkjjzlws 10

25-10-2020 21:42

201025-xtgchbgbbn 1

Analysis

max time kernel
1103s
max time network
1106s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
15-11-2023 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9296a8ed1105c0e7908434a76681299.dll
Size

615KB
MD5

d9296a8ed1105c0e7908434a76681299
SHA1

593bd26bdc829c7633096d016012ceda1183d3f9
SHA256

783dace9ccb4090a09e4f3a229eeeef14246709e25175b0ce0fe749cd736de55
SHA512

18cdfff6d26cca2e09513def3800bab8046c1925ab4aff54cd18d6ea604f5f7315a833acbb7c51f9afdb7ebeca4ee6c9b79a0d315f8c23c12fbb4df83407c52d
SSDEEP

3072:eYkPy807G4DQRGSiZ+LwbUcsNTJiFJwjjeh2ULOgKNIfvqoaAU+/vQEPVxqMnJf6:APyH7l+4sdJeJoW4gO6qEvfdxqMZ

Score

10^/10

zloader spx138 spx138 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

spx138

Campaign

spx138

https://xeemoquo.top/treusparq.php

https://leeephee.top/treusparq.php

https://withifceale.top/treusparq.php

https://wpsnoum.pw/treusparq.php

https://wsaexdig.pw/treusparq.php

Attributes

build_id
10

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 2788	1764	rundll32.exe	31

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2788	msiexec.exe
Token: SeSecurityPrivilege	2788	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1764	1896	rundll32.exe	28
PID 1896 wrote to memory of 1764	1896	rundll32.exe	28
PID 1896 wrote to memory of 1764	1896	rundll32.exe	28
PID 1896 wrote to memory of 1764	1896	rundll32.exe	28
PID 1896 wrote to memory of 1764	1896	rundll32.exe	28
PID 1896 wrote to memory of 1764	1896	rundll32.exe	28
PID 1896 wrote to memory of 1764	1896	rundll32.exe	28
PID 1764 wrote to memory of 2788	1764	rundll32.exe	31
PID 1764 wrote to memory of 2788	1764	rundll32.exe	31
PID 1764 wrote to memory of 2788	1764	rundll32.exe	31
PID 1764 wrote to memory of 2788	1764	rundll32.exe	31
PID 1764 wrote to memory of 2788	1764	rundll32.exe	31
PID 1764 wrote to memory of 2788	1764	rundll32.exe	31
PID 1764 wrote to memory of 2788	1764	rundll32.exe	31
PID 1764 wrote to memory of 2788	1764	rundll32.exe	31
PID 1764 wrote to memory of 2788	1764	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d9296a8ed1105c0e7908434a76681299.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d9296a8ed1105c0e7908434a76681299.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1764-1-0x0000000000750000-0x000000000077C000-memory.dmp

Filesize
176KB

Download
memory/1764-0-0x0000000000130000-0x0000000000159000-memory.dmp

Filesize
164KB

Download
memory/1764-6-0x0000000000750000-0x000000000077C000-memory.dmp

Filesize
176KB

Download
memory/2788-2-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/2788-4-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2788-5-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/2788-7-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/2788-9-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/2788-10-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/2788-12-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download