zloader | 81ea4700e1743391fa6b56be2969c944c8451ec81215f7a0cbf88537e4108157

Resubmissions

08/12/2023, 11:29

231208-nlsgwsbd65 10

08/12/2023, 11:20

231208-nfveasbc54 10

31/10/2020, 11:20

201031-z3tgqqzt76 10

Analysis

max time kernel
1074s
max time network
1076s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
08/12/2023, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spam20.dll
Size

358KB
MD5

6501006a6d47bc73976db9f3385c3c46
SHA1

53082a7fa62dc4fe54586df6a6e481fe8beca1aa
SHA256

c55e3938e9c2c9d00235d8ed87a55adc18fa1c6377a9ee0fd6212916c67d0020
SHA512

df63e60f12d153e16b78464162dbd5d052192a1e09814eb91e21d28256a652ae04eb7ccdaf4022c95c9779edfbe15df7a708717a1c247cfe2d16e8d9f911bf0c
SSDEEP

6144:091kAIgU+wK4UrePimd2jGZFakdU8fLx1tK7IwyBfb7T0Y:090gUQe6dUFHU8pi6xb7T

Score

10^/10

zloader crypto1 crypto botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

crypto1

Campaign

crypto

http://wmwifbajxxbcxmucxmlc.com/post.php

http://ojnxjgfjlftfkkuxxiqd.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

Attributes

build_id
110

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 2680	1112	rundll32.exe	31

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2680	msiexec.exe
Token: SeSecurityPrivilege	2680	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1112	2016	rundll32.exe	28
PID 2016 wrote to memory of 1112	2016	rundll32.exe	28
PID 2016 wrote to memory of 1112	2016	rundll32.exe	28
PID 2016 wrote to memory of 1112	2016	rundll32.exe	28
PID 2016 wrote to memory of 1112	2016	rundll32.exe	28
PID 2016 wrote to memory of 1112	2016	rundll32.exe	28
PID 2016 wrote to memory of 1112	2016	rundll32.exe	28
PID 1112 wrote to memory of 2680	1112	rundll32.exe	31
PID 1112 wrote to memory of 2680	1112	rundll32.exe	31
PID 1112 wrote to memory of 2680	1112	rundll32.exe	31
PID 1112 wrote to memory of 2680	1112	rundll32.exe	31
PID 1112 wrote to memory of 2680	1112	rundll32.exe	31
PID 1112 wrote to memory of 2680	1112	rundll32.exe	31
PID 1112 wrote to memory of 2680	1112	rundll32.exe	31
PID 1112 wrote to memory of 2680	1112	rundll32.exe	31
PID 1112 wrote to memory of 2680	1112	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\spam20.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\spam20.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-1-0x0000000074040000-0x0000000074FA5000-memory.dmp

Filesize
15.4MB

Download
memory/1112-0-0x0000000074040000-0x0000000074FA5000-memory.dmp

Filesize
15.4MB

Download
memory/1112-2-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1112-3-0x0000000074040000-0x0000000074FA5000-memory.dmp

Filesize
15.4MB

Download
memory/1112-15-0x0000000074040000-0x0000000074FA5000-memory.dmp

Filesize
15.4MB

Download
memory/2680-10-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/2680-12-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2680-14-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/2680-16-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/2680-18-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/2680-19-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download