zloader | 97179aa99e2c4d95d226268057774f5431b0763497b7000fe683c91a70a61071

General

Target

74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe
Size

141KB
MD5

4414a7af27f8a26b48af7f3dd4259b40
SHA1

67f733252b3973d6b33594f6e9f6e107597ae23d
SHA256

97179aa99e2c4d95d226268057774f5431b0763497b7000fe683c91a70a61071
SHA512

f96bdefa6bd34f179a4d30a576f4bcb3c2d8368f12970d55850e16e3a1fe1f1cecd29cb3af7ae88d2f56cca74ae82fae2784ed6f41f18dc54b832191b312300e
SSDEEP

3072:OBq4SK7XybZIgipEGHwWVz/wQ+KFTRHrJUOBWokCs4:OBcgXy1TiuBuqKnHmOTs4

Score

10^/10

zloader r1 r1 botnet discovery trojan

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes

build_id
125

rc4.plain

1
e858071ef441a9a66f1a0506fc20b8c3

rsa_pubkey.plain

1
-----BEGIN PUBLIC KEY-----
2
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgHpFzCGFAP0unkZ2zHNtVYQsOAsR
3
e2ENNwJ8gkPfbj9t6WQ9dCAGalAGg7auX/u2ZhvlmUtM4o9cN5t5P6N3Lkcdpfs8
4
nutVvaHHDS2kfSMfNGBGCZyrKHW0prtiBPlCwM6Cis3KVTjp1MUcSAgKHsPbGeSX
5
pMsguw2fOZhNdlizAgMBAAE=
6
-----END PUBLIC KEY-----

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 900 created 1136	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	20

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe
Token: SeSecurityPrivilege	2640	msiexec.exe
Token: SeSecurityPrivilege	2640	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe
  "C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:900
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

DNS

notsweets.net

msiexec.exe

Remote address:

8.8.8.8:53

Request

notsweets.net

IN A

Response
DNS

olpons.com

msiexec.exe

Remote address:

8.8.8.8:53

Request

olpons.com

IN A

Response
DNS

karamelliar.org

msiexec.exe

Remote address:

8.8.8.8:53

Request

karamelliar.org

IN A

Response
DNS

dogrunn.com

msiexec.exe

Remote address:

8.8.8.8:53

Request

dogrunn.com

IN A

Response
DNS

azoraz.net

msiexec.exe

Remote address:

8.8.8.8:53

Request

azoraz.net

IN A

Response

No results found

8.8.8.8:53

notsweets.net

dns

msiexec.exe

59 B
132 B
1
1

DNS Request

notsweets.net
8.8.8.8:53

olpons.com

dns

msiexec.exe

56 B
129 B
1
1

DNS Request

olpons.com
8.8.8.8:53

karamelliar.org

dns

msiexec.exe

61 B
143 B
1
1

DNS Request

karamelliar.org
8.8.8.8:53

dogrunn.com

dns

msiexec.exe

57 B
130 B
1
1

DNS Request

dogrunn.com
8.8.8.8:53

azoraz.net

dns

msiexec.exe

56 B
129 B
1
1

DNS Request

azoraz.net

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data.txt

Filesize
4B

MD5
f2dd0dedb2c260419ece4a9e03b2e828

SHA1
0aaf76f425c6e0f43a36197de768e67d9e035abb

SHA256
26b25d457597a7b0463f9620f666dd10aa2c4373a505967c7c8d70922a2d6ece

SHA512
fecd7b408089255b3467dc1f7231cc6388c9e1c65dcaa5e50f3b460235d18bc44033b08184018b65ac013fdae68c0088381644a6302b9d89e468f57ff9a005dd

Download Submit
memory/2640-90-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2640-89-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/2640-91-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/2640-95-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/2640-94-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/2640-93-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.