zloader | 835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147

Resubmissions

24-01-2024 08:44

240124-kne3ssecfm 10

24-01-2024 08:20

240124-j8dvssdgen 10

23-01-2024 11:38

240123-nryabshhbk 10

05-02-2022 13:33

220205-qtgrgabgg4 10

Analysis

max time kernel
986s
max time network
986s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe
Size

184KB
MD5

c844efe1b7e76cbdea36ce62ff788de9
SHA1

d8143cf09bff7b0ca2a0c777912746a5922104ee
SHA256

835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147
SHA512

52b350965940c785c0a9f3991016ee14a303d49a4168bf5c008bbaafe301cd93e7201965ced9f1e8cdf5f31414c128fdc546461ff21af45c9ae17c3f462d4931
SSDEEP

3072:brenHphylBa5vbUVmpg+Rrf17JhNO429gs6F4FO7MvA+lVJeTf7ko2bCHkMwGAkI:UglEzu+pxJhNC9gsxFO7idlzaQo2bVlt

Score

10^/10

zloader telegramcrypt antiamsidoc botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

TelegramCrypt

Campaign

AntiAMSIdoc

http://wmwifbajxxbcxmucxmlc.com/post.php

http://pwkqhdgytsshkoibaake.com/post.php

http://snnmnkxdhflwgthqismb.com/post.php

http://iawfqecrwohcxnhwtofa.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

http://fvqlkgedqjiqgapudkgq.com/post.php

http://cmmxhurildiigqghlryq.com/post.php

http://nmqsmbiabjdnuushksas.com/post.php

http://fyratyubvflktyyjiqgq.com/post.php

Attributes

build_id
115

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2772	msiexec.exe
Token: SeSecurityPrivilege	2772	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28
PID 2368 wrote to memory of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28
PID 2368 wrote to memory of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28
PID 2368 wrote to memory of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28
PID 2368 wrote to memory of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28
PID 2368 wrote to memory of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28
PID 2368 wrote to memory of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28
PID 2368 wrote to memory of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28
PID 2368 wrote to memory of 2772	2368	835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe	28

C:\Users\Admin\AppData\Local\Temp\835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe
"C:\Users\Admin\AppData\Local\Temp\835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-0-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/2772-1-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2772-2-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/2772-4-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download