zloader | 89e7621123c613d82aadfe6defded7f2816a7add36a7ef1576c08206c84fc90d

Analysis

max time kernel
558s
max time network
564s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JoltBeacon.dll
Size

170KB
MD5

6a6c11510e1743835c938eb1135d5f8f
SHA1

cab05283c7458cb74499772525f1eeb174ae2daa
SHA256

89e7621123c613d82aadfe6defded7f2816a7add36a7ef1576c08206c84fc90d
SHA512

149c6f5bcf6b05c40e1c040d89586b6d992bbc7c3c23ca24292caa064531f373dee1243249f803fd20abfe53621ec7816d4fdb097cc2ee63bbca209cc993ccd5
SSDEEP

3072:WGDjIrSZFEhB2oMk3pXO+4ao8eB4JP5/xemoyUuziq7:WYj3KhWmODB4//xloyUuuq

Score

10^/10

zloader botnet trojan

Malware Config

Extracted

Family

zloader

https://arleprboacqyacbypwly.com/post.php

https://uhqokhlefrqyacgearbe.com/post.php

https://fcgtahlefrqyacgearbe.com/post.php

https://fcgtahlefrqyacgearby.com/post.php

https://arqjfrgtkcqtumbtfhbe.com/post.php

https://fclykcbjpmljawvjkrby.com/post.php

https://amgopmvyuwgyfhqypcvo.com/post.php

https://fwbeucbjkcqtumgypcvo.com/post.php

https://fwgjfwqoacqturljkrby.com/post.php

https://amltamvyurbjacgearby.com/post.php

https://amltamvyurbjacgyuhlo.com/post.php

https://fcltfrlyurbjacljkmvj.com/post.php

https://uhvouwvtkcqopcljkmvj.com/post.php

https://uhbykcgoahbjfhveawlo.com/post.php

https://fcqeuwvtkcvyfhveawlo.com/post.php

https://khbykhlyuwlepcljkrgy.com/post.php

https://fwgjfwqjurbjawboumvj.com/post.php

https://ucqeucgjurbjacgyuhlo.com/post.php

https://fwgjfwvtkwlephvyuhlo.com/post.php

https://uhbtfrlyurgopcljkmvj.com/post.php

Attributes

dga_date_gen
2024-04-09T00:00:00Z
time_seed
1.7126208e+09

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 36 IoCs

flow	pid	Process
3	624	msiexec.exe
22	624	msiexec.exe
30	624	msiexec.exe
63	624	msiexec.exe
66	624	msiexec.exe
68	624	msiexec.exe
70	624	msiexec.exe
72	624	msiexec.exe
74	624	msiexec.exe
76	624	msiexec.exe
78	624	msiexec.exe
80	624	msiexec.exe
82	624	msiexec.exe
84	624	msiexec.exe
86	624	msiexec.exe
88	624	msiexec.exe
90	624	msiexec.exe
92	624	msiexec.exe
94	624	msiexec.exe
96	624	msiexec.exe
98	624	msiexec.exe
100	624	msiexec.exe
101	624	msiexec.exe
103	624	msiexec.exe
105	624	msiexec.exe
107	624	msiexec.exe
109	624	msiexec.exe
111	624	msiexec.exe
113	624	msiexec.exe
115	624	msiexec.exe
117	624	msiexec.exe
119	624	msiexec.exe
121	624	msiexec.exe
123	624	msiexec.exe
125	624	msiexec.exe
159	624	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 624	2084	rundll32.exe	74

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 624	2084	rundll32.exe	74
PID 2084 wrote to memory of 624	2084	rundll32.exe	74

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JoltBeacon.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\msiexec.exe
  \??\C:\Windows\System32\msiexec.exe
  2⤵
  - Blocklisted process makes network request
  PID:624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AJXYQO1G\post[1].php

Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
memory/624-9-0x00000209C79B0000-0x00000209C79F0000-memory.dmp

Filesize
256KB

Download
memory/624-13-0x00000209C79B0000-0x00000209C79F0000-memory.dmp

Filesize
256KB

Download
memory/624-18-0x00000209C9B80000-0x00000209C9D5B000-memory.dmp

Filesize
1.9MB

Download
memory/624-30-0x00000209C79B0000-0x00000209C79F0000-memory.dmp

Filesize
256KB

Download
memory/624-33-0x00000209C79B0000-0x00000209C79F0000-memory.dmp

Filesize
256KB

Download
memory/624-100-0x00000209C79B0000-0x00000209C79F0000-memory.dmp

Filesize
256KB

Download
memory/624-103-0x00000209C79B0000-0x00000209C79F0000-memory.dmp

Filesize
256KB

Download
memory/2084-0-0x00000176821F0000-0x00000176823CB000-memory.dmp

Filesize
1.9MB

Download