zloader | bc8dc839be99fa4411ee9b7fb8e042095a324d0d1400ca1545924894ec143ec5 | Triage

Analysis

max time kernel
101s
max time network
120s
platform
windows7_x64
resource
win7
submitted
27-10-2020 06:33

Sharing

Report Analysis Logs

General

Target

ggf.dll
Size

667KB
MD5

3f4b7d537973a560df0898d821697f85
SHA1

a811b3af1cd710cb175e27faf97a66cf51ec18af
SHA256

bc8dc839be99fa4411ee9b7fb8e042095a324d0d1400ca1545924894ec143ec5
SHA512

e65a94d4b4a18ac4ac2fe722e2d6098f9b78b0d9b4f702977e2baff823f7c6b4c4a536de18c635d25662ae768efbee90b659073262196d36add52a5dec9ea498

Score

10^/10

trojan botnet zloader

Malware Config

Extracted

Family

zloader

Botnet

dll26

Campaign

dll26

C2

https://eecakesconf.at/web982/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1084 wrote to memory of 1844	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1844	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1844	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1844	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1844	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1844	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1844	1084	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ggf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ggf.dll,#1
2⤵
PID:1844

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1596-3-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1596-4-0x0000000000000000-mapping.dmp

Download
memory/1844-0-0x0000000000000000-mapping.dmp

Download