zloader | 89e7621123c613d82aadfe6defded7f2816a7add36a7ef1576c08206c84fc90d

Analysis

max time kernel
562s
max time network
569s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JoltBeacon.dll
Size

170KB
MD5

6a6c11510e1743835c938eb1135d5f8f
SHA1

cab05283c7458cb74499772525f1eeb174ae2daa
SHA256

89e7621123c613d82aadfe6defded7f2816a7add36a7ef1576c08206c84fc90d
SHA512

149c6f5bcf6b05c40e1c040d89586b6d992bbc7c3c23ca24292caa064531f373dee1243249f803fd20abfe53621ec7816d4fdb097cc2ee63bbca209cc993ccd5
SSDEEP

3072:WGDjIrSZFEhB2oMk3pXO+4ao8eB4JP5/xemoyUuziq7:WYj3KhWmODB4//xloyUuuq

Score

10^/10

zloader botnet trojan

Malware Config

Extracted

Family

zloader

https://arleprboacqyacbypwly.com/post.php

https://uhqokhlefrqyacgearbe.com/post.php

https://fcgtahlefrqyacgearbe.com/post.php

https://fcgtahlefrqyacgearby.com/post.php

https://arqjfrgtkcqtumbtfhbe.com/post.php

https://fclykcbjpmljawvjkrby.com/post.php

https://amgopmvyuwgyfhqypcvo.com/post.php

https://fwbeucbjkcqtumgypcvo.com/post.php

https://fwgjfwqoacqturljkrby.com/post.php

https://amltamvyurbjacgearby.com/post.php

https://amltamvyurbjacgyuhlo.com/post.php

https://fcltfrlyurbjacljkmvj.com/post.php

https://uhvouwvtkcqopcljkmvj.com/post.php

https://uhbykcgoahbjfhveawlo.com/post.php

https://fcqeuwvtkcvyfhveawlo.com/post.php

https://khbykhlyuwlepcljkrgy.com/post.php

https://fwgjfwqjurbjawboumvj.com/post.php

https://ucqeucgjurbjacgyuhlo.com/post.php

https://fwgjfwvtkwlephvyuhlo.com/post.php

https://uhbtfrlyurgopcljkmvj.com/post.php

Attributes

dga_date_gen
2024-04-09T00:00:00Z
time_seed
1.7126208e+09

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 36 IoCs

flow	pid	Process
26	3496	msiexec.exe
47	3496	msiexec.exe
50	3496	msiexec.exe
83	3496	msiexec.exe
85	3496	msiexec.exe
87	3496	msiexec.exe
89	3496	msiexec.exe
91	3496	msiexec.exe
93	3496	msiexec.exe
95	3496	msiexec.exe
97	3496	msiexec.exe
99	3496	msiexec.exe
101	3496	msiexec.exe
103	3496	msiexec.exe
105	3496	msiexec.exe
107	3496	msiexec.exe
109	3496	msiexec.exe
111	3496	msiexec.exe
113	3496	msiexec.exe
115	3496	msiexec.exe
117	3496	msiexec.exe
119	3496	msiexec.exe
120	3496	msiexec.exe
122	3496	msiexec.exe
124	3496	msiexec.exe
126	3496	msiexec.exe
128	3496	msiexec.exe
130	3496	msiexec.exe
132	3496	msiexec.exe
134	3496	msiexec.exe
136	3496	msiexec.exe
138	3496	msiexec.exe
140	3496	msiexec.exe
142	3496	msiexec.exe
173	3496	msiexec.exe
182	3496	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3924 set thread context of 3496	3924	rundll32.exe	95

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3496	3924	rundll32.exe	95
PID 3924 wrote to memory of 3496	3924	rundll32.exe	95

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JoltBeacon.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\System32\msiexec.exe
  \??\C:\Windows\System32\msiexec.exe
  2⤵
  - Blocklisted process makes network request
  PID:3496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3Z27RA7P\post[1].php

Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
memory/3496-10-0x00000264D3190000-0x00000264D31D0000-memory.dmp

Filesize
256KB

Download
memory/3496-12-0x00000264D3190000-0x00000264D31D0000-memory.dmp

Filesize
256KB

Download
memory/3496-17-0x00000264D5510000-0x00000264D5705000-memory.dmp

Filesize
2.0MB

Download
memory/3496-30-0x00000264D3190000-0x00000264D31D0000-memory.dmp

Filesize
256KB

Download
memory/3496-33-0x00000264D3190000-0x00000264D31D0000-memory.dmp

Filesize
256KB

Download
memory/3496-100-0x00000264D3190000-0x00000264D31D0000-memory.dmp

Filesize
256KB

Download
memory/3496-103-0x00000264D3190000-0x00000264D31D0000-memory.dmp

Filesize
256KB

Download
memory/3924-0-0x000001D6CD7A0000-0x000001D6CD995000-memory.dmp

Filesize
2.0MB

Download