zloader | deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2

Analysis

Target

yfuvqe.dll
Size

389KB
MD5

93c0cd9a47c5c28335e773c1f451f200
SHA1

0c53b71e52a382f2a920df2d80048b01616c62c4
SHA256

deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2
SHA512

cf6ae7d6b2ecbb3cbfbd99c067dd7b7b94572991aee00d00fb423acce9edd234a8662e00943873dcbf0931115871356ab57191f8be3b9041a779ce2b02a39223

Score

10^/10

Family

zloader

Botnet

mk1

Campaign

mac2

https://alesirovone.world/click.php

rc4.plain

rsa_pubkey.plain

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 276 created 1228	276	rundll32.exe	20

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 276 set thread context of 1388	276	rundll32.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
276	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 276	1544	rundll32.exe	24
PID 1544 wrote to memory of 276	1544	rundll32.exe	24
PID 1544 wrote to memory of 276	1544	rundll32.exe	24
PID 1544 wrote to memory of 276	1544	rundll32.exe	24
PID 1544 wrote to memory of 276	1544	rundll32.exe	24
PID 1544 wrote to memory of 276	1544	rundll32.exe	24
PID 1544 wrote to memory of 276	1544	rundll32.exe	24
PID 276 wrote to memory of 1388	276	rundll32.exe	27
PID 276 wrote to memory of 1388	276	rundll32.exe	27
PID 276 wrote to memory of 1388	276	rundll32.exe	27
PID 276 wrote to memory of 1388	276	rundll32.exe	27
PID 276 wrote to memory of 1388	276	rundll32.exe	27
PID 276 wrote to memory of 1388	276	rundll32.exe	27
PID 276 wrote to memory of 1388	276	rundll32.exe	27
PID 276 wrote to memory of 1388	276	rundll32.exe	27
PID 276 wrote to memory of 1388	276	rundll32.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\yfuvqe.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\yfuvqe.dll,#1
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:276
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1388

memory/1388-1-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1388-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1388-3-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download