zloader | e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a

Resubmissions

23/03/2021, 23:39

210323-gwmsg5pk56 10

Analysis

max time kernel
1031s
max time network
1031s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
08/12/2023, 10:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a.dll
Size

187KB
MD5

6a900d6f8af3a1a0e31ca5bb63637d03
SHA1

221ab3d8ab16a0a7790026aab9b26904be6db436
SHA256

e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a
SHA512

7565f88ae40d6ab1953fc018694154846f8ab98410239947ad5101686cbb9a59032858cb12218e89e27715d1d77a8b941141137886e241924a8f3801999661a8
SSDEEP

3072:O8mB2nsJqJ5HPF0ld+Y07jvOdhw1qw7Q6xqazzEuE5FHX4paSq0Dx1CP9MOoMuoq:OnidJ5t0l/+vOU7Q6xNzTE5FINRx1CPq

Score

10^/10

zloader apr14 spam botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

Apr14

Campaign

Spam

http://wmwifbajxxbcxmucxmlc.com/post.php

http://ojnxjgfjlftfkkuxxiqd.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

Attributes

build_id
102

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 2128	2296	regsvr32.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2128	msiexec.exe
Token: SeSecurityPrivilege	2128	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2296	2004	regsvr32.exe	28
PID 2004 wrote to memory of 2296	2004	regsvr32.exe	28
PID 2004 wrote to memory of 2296	2004	regsvr32.exe	28
PID 2004 wrote to memory of 2296	2004	regsvr32.exe	28
PID 2004 wrote to memory of 2296	2004	regsvr32.exe	28
PID 2004 wrote to memory of 2296	2004	regsvr32.exe	28
PID 2004 wrote to memory of 2296	2004	regsvr32.exe	28
PID 2296 wrote to memory of 2128	2296	regsvr32.exe	29
PID 2296 wrote to memory of 2128	2296	regsvr32.exe	29
PID 2296 wrote to memory of 2128	2296	regsvr32.exe	29
PID 2296 wrote to memory of 2128	2296	regsvr32.exe	29
PID 2296 wrote to memory of 2128	2296	regsvr32.exe	29
PID 2296 wrote to memory of 2128	2296	regsvr32.exe	29
PID 2296 wrote to memory of 2128	2296	regsvr32.exe	29
PID 2296 wrote to memory of 2128	2296	regsvr32.exe	29
PID 2296 wrote to memory of 2128	2296	regsvr32.exe	29

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-0-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/2128-2-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2128-3-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/2128-4-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/2128-6-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download
memory/2128-7-0x00000000000D0000-0x0000000000104000-memory.dmp

Filesize
208KB

Download