zloader | e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a

Resubmissions

23/03/2021, 23:39

210323-gwmsg5pk56 10

Analysis

max time kernel
1160s
max time network
1164s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2023, 10:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a.dll
Size

187KB
MD5

6a900d6f8af3a1a0e31ca5bb63637d03
SHA1

221ab3d8ab16a0a7790026aab9b26904be6db436
SHA256

e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a
SHA512

7565f88ae40d6ab1953fc018694154846f8ab98410239947ad5101686cbb9a59032858cb12218e89e27715d1d77a8b941141137886e241924a8f3801999661a8
SSDEEP

3072:O8mB2nsJqJ5HPF0ld+Y07jvOdhw1qw7Q6xqazzEuE5FHX4paSq0Dx1CP9MOoMuoq:OnidJ5t0l/+vOU7Q6xNzTE5FINRx1CPq

Score

10^/10

zloader apr14 spam botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

Apr14

Campaign

Spam

http://wmwifbajxxbcxmucxmlc.com/post.php

http://ojnxjgfjlftfkkuxxiqd.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

Attributes

build_id
102

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 1996	3436	regsvr32.exe	104

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1996	msiexec.exe
Token: SeSecurityPrivilege	1996	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3436	2072	regsvr32.exe	86
PID 2072 wrote to memory of 3436	2072	regsvr32.exe	86
PID 2072 wrote to memory of 3436	2072	regsvr32.exe	86
PID 3436 wrote to memory of 1996	3436	regsvr32.exe	104
PID 3436 wrote to memory of 1996	3436	regsvr32.exe	104
PID 3436 wrote to memory of 1996	3436	regsvr32.exe	104
PID 3436 wrote to memory of 1996	3436	regsvr32.exe	104
PID 3436 wrote to memory of 1996	3436	regsvr32.exe	104

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\e4d0a79d2463c5d3a71874e3389fa753f480b96639ad32baf1997baf8e5f714a.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1996-0-0x0000000000EE0000-0x0000000000F14000-memory.dmp

Filesize
208KB

Download
memory/1996-2-0x0000000000EE0000-0x0000000000F14000-memory.dmp

Filesize
208KB

Download