zloader | 3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9

Resubmissions

08-12-2023 09:45

231208-lrje3aad83 10

05-02-2022 16:42

220205-t7syfadda8 10

Analysis

max time kernel
1161s
max time network
1166s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9.dll
Size

421KB
MD5

061506b2a0a26fbd20dba69a1105e1b7
SHA1

a4f4bc27be3da2b85a06883615bb96b8a2a79ebb
SHA256

3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9
SHA512

4426c072cb52f2e4ce35ca88c4f20304145d017b5e95f2d35aa68216691b6abde99b6941e1067e50b77342300dea329cb0facbc5ab391272ced658dcf5ee2be9
SSDEEP

6144:tZXN7S2y8WA3gha780p2F2V6voOy5Gn7n0O8N5WYeXmseY1rmWd2KWJ:tjS2yhA30a78rQqIN5te20qWd2KWJ

Score

10^/10

zloader april23fixed april23fixed botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

April23Fixed

Campaign

April23Fixed

http://wmwifbajxxbcxmucxmlc.com/post.php

http://onfovdaqqrwbvdfoqnof.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

Attributes

build_id
120

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 3936	1936	rundll32.exe	109

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3936	msiexec.exe
Token: SeSecurityPrivilege	3936	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 1936	4360	rundll32.exe	86
PID 4360 wrote to memory of 1936	4360	rundll32.exe	86
PID 4360 wrote to memory of 1936	4360	rundll32.exe	86
PID 1936 wrote to memory of 3936	1936	rundll32.exe	109
PID 1936 wrote to memory of 3936	1936	rundll32.exe	109
PID 1936 wrote to memory of 3936	1936	rundll32.exe	109
PID 1936 wrote to memory of 3936	1936	rundll32.exe	109
PID 1936 wrote to memory of 3936	1936	rundll32.exe	109

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b4b2c5c8a00fab59684fee37b54912c58682022e2dc4e3dcd24b6e58533ecd9.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-1-0x0000000074300000-0x000000007527D000-memory.dmp

Filesize
15.5MB

Download
memory/1936-0-0x0000000074300000-0x000000007527D000-memory.dmp

Filesize
15.5MB

Download
memory/1936-2-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/1936-3-0x0000000074300000-0x000000007527D000-memory.dmp

Filesize
15.5MB

Download
memory/1936-12-0x0000000074300000-0x000000007527D000-memory.dmp

Filesize
15.5MB

Download
memory/3936-11-0x0000000000540000-0x0000000000574000-memory.dmp

Filesize
208KB

Download
memory/3936-14-0x0000000000540000-0x0000000000574000-memory.dmp

Filesize
208KB

Download