zloader | 81ea4700e1743391fa6b56be2969c944c8451ec81215f7a0cbf88537e4108157

Resubmissions

08-12-2023 11:29

231208-nlsgwsbd65 10

08-12-2023 11:20

231208-nfveasbc54 10

31-10-2020 11:20

201031-z3tgqqzt76 10

Analysis

max time kernel
1157s
max time network
1162s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2023 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spam20.dll
Size

358KB
MD5

6501006a6d47bc73976db9f3385c3c46
SHA1

53082a7fa62dc4fe54586df6a6e481fe8beca1aa
SHA256

c55e3938e9c2c9d00235d8ed87a55adc18fa1c6377a9ee0fd6212916c67d0020
SHA512

df63e60f12d153e16b78464162dbd5d052192a1e09814eb91e21d28256a652ae04eb7ccdaf4022c95c9779edfbe15df7a708717a1c247cfe2d16e8d9f911bf0c
SSDEEP

6144:091kAIgU+wK4UrePimd2jGZFakdU8fLx1tK7IwyBfb7T0Y:090gUQe6dUFHU8pi6xb7T

Score

10^/10

zloader crypto1 crypto botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

crypto1

Campaign

crypto

http://wmwifbajxxbcxmucxmlc.com/post.php

http://ojnxjgfjlftfkkuxxiqd.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

Attributes

build_id
110

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4368 set thread context of 4052	4368	rundll32.exe	111

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4052	msiexec.exe
Token: SeSecurityPrivilege	4052	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4368	3484	rundll32.exe	17
PID 3484 wrote to memory of 4368	3484	rundll32.exe	17
PID 3484 wrote to memory of 4368	3484	rundll32.exe	17
PID 4368 wrote to memory of 4052	4368	rundll32.exe	111
PID 4368 wrote to memory of 4052	4368	rundll32.exe	111
PID 4368 wrote to memory of 4052	4368	rundll32.exe	111
PID 4368 wrote to memory of 4052	4368	rundll32.exe	111
PID 4368 wrote to memory of 4052	4368	rundll32.exe	111

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\spam20.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\spam20.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4052-11-0x0000000000AA0000-0x0000000000AD4000-memory.dmp

Filesize
208KB

Download
memory/4052-14-0x0000000000AA0000-0x0000000000AD4000-memory.dmp

Filesize
208KB

Download
memory/4368-0-0x00000000743F0000-0x0000000075355000-memory.dmp

Filesize
15.4MB

Download
memory/4368-1-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4368-2-0x00000000743F0000-0x0000000075355000-memory.dmp

Filesize
15.4MB

Download
memory/4368-12-0x00000000743F0000-0x0000000075355000-memory.dmp

Filesize
15.4MB

Download