zloader | cc87e6581ca91f941f65332b2de0e681d58491b54aff9d0b30afae828a5f5790

Resubmissions

17-11-2023 12:47

231117-p1nb6aad8x 10

05-02-2022 09:59

220205-lz81paaddn 10

Analysis

max time kernel
1129s
max time network
1135s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2023 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc87e6581ca91f941f65332b2de0e681d58491b54aff9d0b30afae828a5f5790.dll
Size

539KB
MD5

2169e871d4ca668d1872722d1a0695dc
SHA1

add2bbbac042c328ed71c9fd2efcb9cbce5a89f7
SHA256

cc87e6581ca91f941f65332b2de0e681d58491b54aff9d0b30afae828a5f5790
SHA512

fdb93959e88f9cf59be9c515127d02ec41b1370544c23a82b51a49f51b611231e91549a043d7796acef4e95539c75f8a95046b2b31ea0011104a2762b2504c64
SSDEEP

12288:2fgs/ArUlRabXDUMr6xziFHPSMI0VI/+m3Ian:2fZY2an/JzxOD4an

Score

10^/10

zloader apr14 spam botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

Apr14

Campaign

Spam

http://wmwifbajxxbcxmucxmlc.com/post.php

http://ojnxjgfjlftfkkuxxiqd.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

Attributes

build_id
102

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 13 IoCs

flow	pid	Process
74	1936	msiexec.exe
75	1936	msiexec.exe
77	1936	msiexec.exe
84	1936	msiexec.exe
85	1936	msiexec.exe
108	1936	msiexec.exe
109	1936	msiexec.exe
112	1936	msiexec.exe
113	1936	msiexec.exe
135	1936	msiexec.exe
136	1936	msiexec.exe
140	1936	msiexec.exe
141	1936	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4360 set thread context of 1936	4360	rundll32.exe	104

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1936	msiexec.exe
Token: SeSecurityPrivilege	1936	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4360	4320	rundll32.exe	84
PID 4320 wrote to memory of 4360	4320	rundll32.exe	84
PID 4320 wrote to memory of 4360	4320	rundll32.exe	84
PID 4360 wrote to memory of 1936	4360	rundll32.exe	104
PID 4360 wrote to memory of 1936	4360	rundll32.exe	104
PID 4360 wrote to memory of 1936	4360	rundll32.exe	104
PID 4360 wrote to memory of 1936	4360	rundll32.exe	104
PID 4360 wrote to memory of 1936	4360	rundll32.exe	104

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc87e6581ca91f941f65332b2de0e681d58491b54aff9d0b30afae828a5f5790.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc87e6581ca91f941f65332b2de0e681d58491b54aff9d0b30afae828a5f5790.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of AdjustPrivilegeToken
    PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T0U3BIO\post[1].htm

Filesize
1KB

MD5
37883aa7c0d6e92c04a350d04ea33fda

SHA1
a3f52fc0e5e112190b2ff79528c3ff5bfd3d216b

SHA256
72eb0b7d8ddb3f5f391cef068fd50b63fc0288846c36427a23b4e93c8ed431dc

SHA512
b65bf9a2ab1c740b7ed76d7d39621917d36f8d4d9edf3166b76d326fe95b443f7a757c2c98b1988b9bac65f4f0f4f2fc4a47c35ee76702b147e1a279a66a164d

Download Submit
memory/1936-15-0x0000000000E00000-0x0000000000E34000-memory.dmp

Filesize
208KB

Download
memory/1936-18-0x0000000000E00000-0x0000000000E34000-memory.dmp

Filesize
208KB

Download
memory/4360-0-0x0000000075510000-0x00000000755B3000-memory.dmp

Filesize
652KB

Download
memory/4360-1-0x0000000075510000-0x00000000755B3000-memory.dmp

Filesize
652KB

Download
memory/4360-2-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4360-3-0x0000000075510000-0x00000000755B3000-memory.dmp

Filesize
652KB

Download
memory/4360-5-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4360-16-0x0000000075510000-0x00000000755B3000-memory.dmp

Filesize
652KB

Download