Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-03-2024 10:24

General

  • Target

    Device/HarddiskVolume7/imaginaryC2-master/examples/use-case-9-zloader/zloader-imaginary-c2/server_da.dll

  • Size

    838KB

  • MD5

    57138593c18492f813e426719ebed2e8

  • SHA1

    7d44bd7d83dace54b68f93ef16b7a70173dc9ccf

  • SHA256

    d0226de456f5fb75ae7588d57bb9368848aa01afae86893d6da2b95098080c97

  • SHA512

    57097f8dea1681713ebe983f2e1829ea21536c1bb867865b65ce8497fca67ca89ae148f0a77bdd9c5622b60b29344a83bfea9b09cbf388336c764840b5e32daa

  • SSDEEP

    6144:oxG3wZYnmy+9Mw6PeJ/Oubatb6pf4Pbjmr9UnbNzLLxsw:NwZYn72hSS9gbNzLLOw

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.04.2020

C2

https://coult.org/sound.php

https://chorbly.org/sound.php

https://kodray.org/sound.php

https://retualeigh.com/sound.php

https://grually.com/sound.php

https://footmess.com/sound.php

https://rarigussa.com/sound.php

https://pacallse.com/sound.php

Attributes
  • build_id

    47

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume7\imaginaryC2-master\examples\use-case-9-zloader\zloader-imaginary-c2\server_da.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume7\imaginaryC2-master\examples\use-case-9-zloader\zloader-imaginary-c2\server_da.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Adds Run key to start application
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:4948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3796-0-0x0000000002180000-0x00000000021D1000-memory.dmp

    Filesize

    324KB

  • memory/3796-1-0x0000000010000000-0x00000000100DA000-memory.dmp

    Filesize

    872KB

  • memory/3796-9-0x0000000010000000-0x00000000100DA000-memory.dmp

    Filesize

    872KB

  • memory/4948-8-0x0000000000B40000-0x0000000000B74000-memory.dmp

    Filesize

    208KB

  • memory/4948-10-0x0000000000B40000-0x0000000000B74000-memory.dmp

    Filesize

    208KB

  • memory/4948-12-0x0000000000B40000-0x0000000000B74000-memory.dmp

    Filesize

    208KB