zloader | aa8fc19f16e4e185f6464d2e18ec7731c235d2b0d364f76965cf5967d5eef613

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13/03/2025, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

isen.dll.bin.dll
Size

491KB
MD5

b57e40b039858fd23e0f25a03db376ad
SHA1

7f3cf3274cbf83233aeda6074362216b91d34cbd
SHA256

aa8fc19f16e4e185f6464d2e18ec7731c235d2b0d364f76965cf5967d5eef613
SHA512

d1b64eec36780e56f3fdf57be8c2c24f08554eba8ffb29c38959d4064cd1e24c04183d71cb820d29a21efa37ade67c723b5c0137e0ca134c9e6c3f7861a9753f
SSDEEP

12288:uDKxKMk8PhMNo+e8kGOK9ab4ozUWdBENcYcj6D9r6W3FaOi:uDjMk8ZMNYnGOSSjgW41QEv1aO

Score

10^/10

zloader june08 june botnet discovery trojan

Malware Config

Extracted

Family

zloader

Botnet

June08

Campaign

June

http://snnmnkxdhflwgthqismb.com/post.php

http://nlbmfsyplohyaicmxhum.com/post.php

Attributes

build_id
149

rc4.plain

rsa_pubkey.plain

Signatures

Zloader family
zloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 2816	1832	rundll32.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2816	msiexec.exe
Token: SeSecurityPrivilege	2816	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1832	2416	rundll32.exe	30
PID 2416 wrote to memory of 1832	2416	rundll32.exe	30
PID 2416 wrote to memory of 1832	2416	rundll32.exe	30
PID 2416 wrote to memory of 1832	2416	rundll32.exe	30
PID 2416 wrote to memory of 1832	2416	rundll32.exe	30
PID 2416 wrote to memory of 1832	2416	rundll32.exe	30
PID 2416 wrote to memory of 1832	2416	rundll32.exe	30
PID 1832 wrote to memory of 2816	1832	rundll32.exe	32
PID 1832 wrote to memory of 2816	1832	rundll32.exe	32
PID 1832 wrote to memory of 2816	1832	rundll32.exe	32
PID 1832 wrote to memory of 2816	1832	rundll32.exe	32
PID 1832 wrote to memory of 2816	1832	rundll32.exe	32
PID 1832 wrote to memory of 2816	1832	rundll32.exe	32
PID 1832 wrote to memory of 2816	1832	rundll32.exe	32
PID 1832 wrote to memory of 2816	1832	rundll32.exe	32
PID 1832 wrote to memory of 2816	1832	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\isen.dll.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\isen.dll.bin.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-0-0x0000000074F3F000-0x0000000074F42000-memory.dmp

Filesize
12KB

Download
memory/1832-2-0x0000000074EF0000-0x0000000074F71000-memory.dmp

Filesize
516KB

Download
memory/1832-1-0x0000000074EF0000-0x0000000074F71000-memory.dmp

Filesize
516KB

Download
memory/1832-3-0x0000000074EF0000-0x0000000074F71000-memory.dmp

Filesize
516KB

Download
memory/1832-4-0x0000000074F3F000-0x0000000074F42000-memory.dmp

Filesize
12KB

Download
memory/1832-11-0x0000000074EF0000-0x0000000074F71000-memory.dmp

Filesize
516KB

Download
memory/2816-6-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download
memory/2816-8-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2816-9-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download
memory/2816-12-0x0000000074DD0000-0x0000000074FE8000-memory.dmp

Filesize
2.1MB

Download
memory/2816-14-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download
memory/2816-15-0x0000000074DD0000-0x0000000074FE8000-memory.dmp

Filesize
2.1MB

Download