Overview

overview

10

Static

static

10

08751be484...2d.dll

windows7-x64

10

08751be484...2d.dll

windows10-2004-x64

10

0a9f79abd4...51.exe

windows7-x64

3

0a9f79abd4...51.exe

windows10-2004-x64

3

1.bin/1.exe

windows7-x64

10

1.bin/1.exe

windows10-2004-x64

10

2019-09-02...10.exe

windows7-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2b5e50bc30...ba.dll

windows7-x64

10

2b5e50bc30...ba.dll

windows10-2004-x64

10

2c01b00772...eb.exe

windows7-x64

10

2c01b00772...eb.exe

windows10-2004-x64

10

31.exe

windows7-x64

10

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows7-x64

1

3DMark 11 ...on.exe

windows10-2004-x64

1

42f9729255...61.exe

windows7-x64

10

42f9729255...61.exe

windows10-2004-x64

10

42f9729255...1).exe

windows7-x64

10

42f9729255...1).exe

windows10-2004-x64

10

5da0116af4...18.exe

windows7-x64

7

5da0116af4...18.exe

windows10-2004-x64

7

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

6a9e7107c9...91.exe

windows7-x64

10

6a9e7107c9...91.exe

windows10-2004-x64

10

905d572f23...50.exe

windows7-x64

10

905d572f23...50.exe

windows10-2004-x64

10

948340be97...54.exe

windows7-x64

10

948340be97...54.exe

windows10-2004-x64

10

95560f1a46...f9.dll

windows7-x64

1

95560f1a46...f9.dll

windows10-2004-x64

5

Resubmissions

03/07/2024, 16:04 UTC

240703-thygmaycpc 10

01/07/2024, 18:12 UTC

240701-ws6xvswbkj 10

01/07/2024, 18:03 UTC

240701-wm5sls1gka 10

01/07/2024, 18:03 UTC

240701-wm39sa1gjf 10

01/07/2024, 18:03 UTC

240701-wm2e7avhkj 10

01/07/2024, 18:03 UTC

240701-wmzxcs1fre 10

01/07/2024, 18:02 UTC

240701-wmzats1frc 10

01/07/2024, 18:02 UTC

240701-wmvbwa1fqh 10

22/11/2023, 17:02 UTC

231122-vkac9adg64 10

Analysis

  • max time kernel
    124s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 18:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

  • Size

    144KB

  • MD5

    9e9bb42a965b89a9dce86c8b36b24799

  • SHA1

    e2d1161ac7fa3420648ba59f7a5315ed0acb04c2

  • SHA256

    08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

  • SHA512

    e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

  • SSDEEP

    3072:ep1qwbk6Wbh/UR++pz1OBrNtZtHpspurmxwPtnneZY:epoP6WV/C116rNbtHpsYrmSP1neZY

Score
10/10
zloaderbotnetpersistencetrojan

Malware Config

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:908
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3740,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:8
    1⤵
      PID:1392

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      44.56.20.217.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      44.56.20.217.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      101.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.210.23.2.in-addr.arpa
      IN PTR
      Response
      101.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-101deploystaticakamaitechnologiescom
    • flag-us
      DNS
      101.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.210.23.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      82.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      82.90.14.23.in-addr.arpa
      IN PTR
      Response
      82.90.14.23.in-addr.arpa
      IN PTR
      a23-14-90-82deploystaticakamaitechnologiescom
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      44.56.20.217.in-addr.arpa
      dns
      71 B
       131 B
       1
      1

      DNS Request

      44.56.20.217.in-addr.arpa

    • 8.8.8.8:53
      73.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      73.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      101.210.23.2.in-addr.arpa
      dns
      142 B
       135 B
       2
      1

      DNS Request

      101.210.23.2.in-addr.arpa

      DNS Request

      101.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      82.90.14.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      82.90.14.23.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/908-0-0x0000000000310000-0x0000000000335000-memory.dmp

      Filesize

      148KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.