zloader | deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2

Analysis

Target

yfuvqe.dll
Size

389KB
MD5

93c0cd9a47c5c28335e773c1f451f200
SHA1

0c53b71e52a382f2a920df2d80048b01616c62c4
SHA256

deac9f705c6ddd2795f31b9d55ace3f3de1e20de314b0c20f1a2e90fdf259cb2
SHA512

cf6ae7d6b2ecbb3cbfbd99c067dd7b7b94572991aee00d00fb423acce9edd234a8662e00943873dcbf0931115871356ab57191f8be3b9041a779ce2b02a39223

Score

10^/10

Family

zloader

Botnet

mk1

Campaign

mac2

https://alesirovone.world/click.php

rc4.plain

rsa_pubkey.plain

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 724 created 3068 724 rundll32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 724 set thread context of 3556 724 rundll32.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

724 rundll32.exe
724 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rundll32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 724 rundll32.exe
Token: SeSecurityPrivilege 3556 msiexec.exe
Token: SeSecurityPrivilege 3556 msiexec.exe

description	pid	process	target process
PID 724 created 3068	724	rundll32.exe	Explorer.EXE

description	pid	process	target process
PID 724 set thread context of 3556	724	rundll32.exe	msiexec.exe

pid	process
724	rundll32.exe
724	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 648 wrote to memory of 724	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 724	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 724	648	rundll32.exe	rundll32.exe
PID 724 wrote to memory of 3556	724	rundll32.exe	msiexec.exe
PID 724 wrote to memory of 3556	724	rundll32.exe	msiexec.exe
PID 724 wrote to memory of 3556	724	rundll32.exe	msiexec.exe
PID 724 wrote to memory of 3556	724	rundll32.exe	msiexec.exe
PID 724 wrote to memory of 3556	724	rundll32.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3068
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\yfuvqe.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\yfuvqe.dll,#1
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:724
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3556

memory/724-0-0x0000000000000000-mapping.dmp

Download
memory/3556-1-0x0000000000740000-0x000000000076D000-memory.dmp

Filesize
180KB

Download
memory/3556-2-0x0000000000000000-mapping.dmp

Download