zloader | a97b7b2353dc9012b6cb914f6665d0e93f557859411d2e08b942316c09d7b07f

Resubmissions

24-01-2024 07:29

240124-jbnczachd9 10

23-01-2024 11:54

240123-n2wjgsafc6 10

26-06-2020 08:43

200626-953qfplyej 10

Analysis

max time kernel
1170s
max time network
1171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xiynk.dll
Size

356KB
MD5

e83a8a849188b48e79a6f49dd0c7ae91
SHA1

55a1669550d823104e1452f0e6a0a94c3f7fae12
SHA256

a97b7b2353dc9012b6cb914f6665d0e93f557859411d2e08b942316c09d7b07f
SHA512

b035faff865f72977879322f9d1c08c6f87c96a8805db76a0e5ae4b6118f2b075e58bb1cc6a9cee8ce1c51763301443bab40970ad1f072a1763d7d7727e477f4
SSDEEP

6144:IOA9EZXHHOsAFPtetI7AW7JOpoTIXbv6M19HBqxJPVZ5IebbnB:9A9EZZAFPtkI751OnrRbOJ1P

Score

10^/10

zloader june25 june botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

june25

Campaign

june

http://snnmnkxdhflwgthqismb.com/web/post.php

http://nlbmfsyplohyaicmxhum.com/web/post.php

http://softwareserviceupdater1.com/web/post.php

http://softwareserviceupdater2.com/web/post.php

Attributes

build_id
9

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4548 set thread context of 4080	4548	regsvr32.exe	96

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4080	msiexec.exe
Token: SeSecurityPrivilege	4080	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4548	4112	regsvr32.exe	84
PID 4112 wrote to memory of 4548	4112	regsvr32.exe	84
PID 4112 wrote to memory of 4548	4112	regsvr32.exe	84
PID 4548 wrote to memory of 4080	4548	regsvr32.exe	96
PID 4548 wrote to memory of 4080	4548	regsvr32.exe	96
PID 4548 wrote to memory of 4080	4548	regsvr32.exe	96
PID 4548 wrote to memory of 4080	4548	regsvr32.exe	96
PID 4548 wrote to memory of 4080	4548	regsvr32.exe	96

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\xiynk.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\xiynk.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4080-9-0x0000000000630000-0x000000000065B000-memory.dmp

Filesize
172KB

Download
memory/4080-12-0x0000000000630000-0x000000000065B000-memory.dmp

Filesize
172KB

Download
memory/4548-0-0x0000000010000000-0x0000000010159000-memory.dmp

Filesize
1.3MB

Download
memory/4548-1-0x0000000010000000-0x0000000010159000-memory.dmp

Filesize
1.3MB

Download
memory/4548-2-0x0000000010000000-0x0000000010159000-memory.dmp

Filesize
1.3MB

Download
memory/4548-3-0x0000000010000000-0x0000000010159000-memory.dmp

Filesize
1.3MB

Download
memory/4548-5-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/4548-4-0x0000000010000000-0x0000000010159000-memory.dmp

Filesize
1.3MB

Download
memory/4548-10-0x0000000010000000-0x0000000010159000-memory.dmp

Filesize
1.3MB

Download