zloader | 19614f57ed86b1305c8e00443ee49f751a62b19df9f1a72f326d939b0fd69e66

Resubmissions

08-12-2023 11:08

231208-m8mdqaba46 10

01-11-2020 09:14

201101-da931xqx5x 10

01-11-2020 08:59

201101-jwsyvmsbls 10

Analysis

max time kernel
1004s
max time network
1007s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
08-12-2023 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batman1.exe
Size

323KB
MD5

afdf2fbc0756ed304d1a33083a5f2b0f
SHA1

f3a25627f925390097a64a84ef34c952fe8af036
SHA256

a947c216ea52ce23457b3babb1e1eb6275cabe2150d3995553e4de4b8c3d97f4
SHA512

1c49e53b21c6cebc7a070667aaf05bc89e1a434270208fb61e54c8d74b8f4f3c70c021567d65e1ae024b16bdddb6f89989434075b9a422f2582d82c861b6ccf1
SSDEEP

6144:vG9T0nIO6C3XwbT5QOIJSeEY7EkvBeC1G:HIO6TTeO8Sw7Ekv8C

Score

10^/10

zloader telegramcrypt antiamsidoc botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

TelegramCrypt

Campaign

AntiAMSIdoc

http://wmwifbajxxbcxmucxmlc.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

Attributes

build_id
115

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 3000	1972	batman1.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3000	msiexec.exe
Token: SeSecurityPrivilege	3000	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3000	1972	batman1.exe	30
PID 1972 wrote to memory of 3000	1972	batman1.exe	30
PID 1972 wrote to memory of 3000	1972	batman1.exe	30
PID 1972 wrote to memory of 3000	1972	batman1.exe	30
PID 1972 wrote to memory of 3000	1972	batman1.exe	30
PID 1972 wrote to memory of 3000	1972	batman1.exe	30
PID 1972 wrote to memory of 3000	1972	batman1.exe	30
PID 1972 wrote to memory of 3000	1972	batman1.exe	30
PID 1972 wrote to memory of 3000	1972	batman1.exe	30

C:\Users\Admin\AppData\Local\Temp\batman1.exe
"C:\Users\Admin\AppData\Local\Temp\batman1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-1-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/1972-3-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1972-2-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1972-6-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/1972-12-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/3000-9-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/3000-10-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/3000-11-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/3000-14-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download