zloader | 97179aa99e2c4d95d226268057774f5431b0763497b7000fe683c91a70a61071

General

Target

74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe
Size

141KB
MD5

4414a7af27f8a26b48af7f3dd4259b40
SHA1

67f733252b3973d6b33594f6e9f6e107597ae23d
SHA256

97179aa99e2c4d95d226268057774f5431b0763497b7000fe683c91a70a61071
SHA512

f96bdefa6bd34f179a4d30a576f4bcb3c2d8368f12970d55850e16e3a1fe1f1cecd29cb3af7ae88d2f56cca74ae82fae2784ed6f41f18dc54b832191b312300e
SSDEEP

3072:OBq4SK7XybZIgipEGHwWVz/wQ+KFTRHrJUOBWokCs4:OBcgXy1TiuBuqKnHmOTs4

Score

10^/10

zloader r1 r1 botnet discovery trojan

Malware Config

Extracted

Family

zloader

Botnet

r1

Campaign

r1

C2

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

Attributes

build_id
125

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe

description pid process target process

PID 900 created 1136 900 74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process	target process
PID 900 created 1136	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe

description	pid	process	target process
PID 900 set thread context of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exemsiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe

pid process

900 74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe

pid	process
900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe
Token: SeSecurityPrivilege	2640	msiexec.exe
Token: SeSecurityPrivilege	2640	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe

description	pid	process	target process
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe
PID 900 wrote to memory of 2640	900	74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe
  "C:\Users\Admin\AppData\Local\Temp\74c8670a8285e6783e6a5c44b43b7399078c36bd80a386f00f810da0e6a45533_dump.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:900
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data.txt

Filesize
4B

MD5
f2dd0dedb2c260419ece4a9e03b2e828

SHA1
0aaf76f425c6e0f43a36197de768e67d9e035abb

SHA256
26b25d457597a7b0463f9620f666dd10aa2c4373a505967c7c8d70922a2d6ece

SHA512
fecd7b408089255b3467dc1f7231cc6388c9e1c65dcaa5e50f3b460235d18bc44033b08184018b65ac013fdae68c0088381644a6302b9d89e468f57ff9a005dd

Download Submit
memory/2640-90-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2640-89-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/2640-91-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/2640-95-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/2640-94-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/2640-93-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads