zloader | 9f654fe304bd80d1114c515362319c59bc569a54cb445aacdf47672d56815da1

Analysis

Target

File2.exe
Size

210KB
MD5

12368655038e920cb2ada7d34fac40dd
SHA1

fca002da98c91b019a3fab4639a4b6e4d0de43d7
SHA256

9f654fe304bd80d1114c515362319c59bc569a54cb445aacdf47672d56815da1
SHA512

caa8e284640c31ad4c7b86945a71ad46aa2eb8bb7e47358b67b5fa575cac2894ad5d8d41e26a7782d7e080d8126c2c377e7bcc8e3ff2f5785c9c60119c519d0e

Score

10^/10

Family

zloader

Botnet

Campaign

https://freebreez.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://makaronz.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://ricklick.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://litlblockblack.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://vaktorianpackif.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://hbamefphmqsdgkqojgwe.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://hoxfqvlgoabyfspvjimc.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://yrsfuaegsevyffrfsgpj.com/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain

rsa_pubkey.plain

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3816 created 3016	3816	File2.exe	56

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3816 set thread context of 3936	3816	File2.exe	75

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3816	File2.exe
3816	File2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 3936	3816	File2.exe	75
PID 3816 wrote to memory of 3936	3816	File2.exe	75
PID 3816 wrote to memory of 3936	3816	File2.exe	75
PID 3816 wrote to memory of 3936	3816	File2.exe	75
PID 3816 wrote to memory of 3936	3816	File2.exe	75

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3016
- C:\Users\Admin\AppData\Local\Temp\File2.exe
  "C:\Users\Admin\AppData\Local\Temp\File2.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3816
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3936

memory/3816-0-0x0000000000B26000-0x0000000000B27000-memory.dmp

Filesize
4KB

Download
memory/3816-1-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/3936-3-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download