zloader | deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2

General

Target

yfuvqe.dll
Size

389KB
MD5

93c0cd9a47c5c28335e773c1f451f200
SHA1

0c53b71e52a382f2a920df2d80048b01616c62c4
SHA256

deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2
SHA512

cf6ae7d6b2ecbb3cbfbd99c067dd7b7b94572991aee00d00fb423acce9edd234a8662e00943873dcbf0931115871356ab57191f8be3b9041a779ce2b02a39223

Score

10^/10

Family

zloader

Botnet

mk1

Campaign

mac2

C2

https://alesirovone.world/click.php

rc4.plain

rsa_pubkey.plain

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 276 created 1228 276 rundll32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 276 set thread context of 1388 276 rundll32.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

276 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rundll32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 276 rundll32.exe
Token: SeSecurityPrivilege 1388 msiexec.exe
Token: SeSecurityPrivilege 1388 msiexec.exe

description	pid	process	target process
PID 276 created 1228	276	rundll32.exe	Explorer.EXE

description	pid	process	target process
PID 276 set thread context of 1388	276	rundll32.exe	msiexec.exe

pid	process
276	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1544 wrote to memory of 276	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 276	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 276	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 276	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 276	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 276	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 276	1544	rundll32.exe	rundll32.exe
PID 276 wrote to memory of 1388	276	rundll32.exe	msiexec.exe
PID 276 wrote to memory of 1388	276	rundll32.exe	msiexec.exe
PID 276 wrote to memory of 1388	276	rundll32.exe	msiexec.exe
PID 276 wrote to memory of 1388	276	rundll32.exe	msiexec.exe
PID 276 wrote to memory of 1388	276	rundll32.exe	msiexec.exe
PID 276 wrote to memory of 1388	276	rundll32.exe	msiexec.exe
PID 276 wrote to memory of 1388	276	rundll32.exe	msiexec.exe
PID 276 wrote to memory of 1388	276	rundll32.exe	msiexec.exe
PID 276 wrote to memory of 1388	276	rundll32.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\yfuvqe.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\yfuvqe.dll,#1
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:276
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1388

memory/276-0-0x0000000000000000-mapping.dmp

Download
memory/1388-1-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1388-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1388-3-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1388-4-0x0000000000000000-mapping.dmp

Download