zloader | 19614f57ed86b1305c8e00443ee49f751a62b19df9f1a72f326d939b0fd69e66

Resubmissions

08-12-2023 11:08

231208-m8mdqaba46 10

01-11-2020 09:14

201101-da931xqx5x 10

01-11-2020 08:59

201101-jwsyvmsbls 10

Analysis

max time kernel
1170s
max time network
1172s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

batman1.exe
Size

323KB
MD5

afdf2fbc0756ed304d1a33083a5f2b0f
SHA1

f3a25627f925390097a64a84ef34c952fe8af036
SHA256

a947c216ea52ce23457b3babb1e1eb6275cabe2150d3995553e4de4b8c3d97f4
SHA512

1c49e53b21c6cebc7a070667aaf05bc89e1a434270208fb61e54c8d74b8f4f3c70c021567d65e1ae024b16bdddb6f89989434075b9a422f2582d82c861b6ccf1
SSDEEP

6144:vG9T0nIO6C3XwbT5QOIJSeEY7EkvBeC1G:HIO6TTeO8Sw7Ekv8C

Score

10^/10

zloader telegramcrypt antiamsidoc botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

TelegramCrypt

Campaign

AntiAMSIdoc

http://wmwifbajxxbcxmucxmlc.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

Attributes

build_id
115

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4880 set thread context of 4052	4880	batman1.exe	108

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3460	4880	WerFault.exe	14

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4052	msiexec.exe
Token: SeSecurityPrivilege	4052	msiexec.exe
Token: SeManageVolumePrivilege	4980	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4052	4880	batman1.exe	108
PID 4880 wrote to memory of 4052	4880	batman1.exe	108
PID 4880 wrote to memory of 4052	4880	batman1.exe	108
PID 4880 wrote to memory of 4052	4880	batman1.exe	108
PID 4880 wrote to memory of 4052	4880	batman1.exe	108

C:\Users\Admin\AppData\Local\Temp\batman1.exe
"C:\Users\Admin\AppData\Local\Temp\batman1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 476
  2⤵
  - Program crash
  PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4880 -ip 4880
1⤵
PID:3964

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4052-9-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/4052-12-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/4880-10-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4880-7-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/4880-8-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/4880-3-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4880-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/4880-2-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/4980-47-0x0000017E9FBD0000-0x0000017E9FBD1000-memory.dmp

Filesize
4KB

Download
memory/4980-49-0x0000017E9FCE0000-0x0000017E9FCE1000-memory.dmp

Filesize
4KB

Download
memory/4980-48-0x0000017E9FBD0000-0x0000017E9FBD1000-memory.dmp

Filesize
4KB

Download
memory/4980-45-0x0000017E9FBA0000-0x0000017E9FBA1000-memory.dmp

Filesize
4KB

Download
memory/4980-29-0x0000017E97840000-0x0000017E97850000-memory.dmp

Filesize
64KB

Download
memory/4980-13-0x0000017E97740000-0x0000017E97750000-memory.dmp

Filesize
64KB

Download