zloader | a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc

Target

ebook_29.10.20.exe
Size

310KB
MD5

cd1f5e41d727816c6ca5e6c073130df4
SHA1

5d9a72b2b721aa7834d3f3bb07225ce48d4bc3fb
SHA256

a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc
SHA512

4f88ce58d61fa0eb4fc8ad2ce068a3044bcc7f205819cab5c39a998147f034869994c849ee022b487d3708d62167cc766d406e4310d301be1e51b1b1a7f3c588

Score

10^/10

Malware Config

Family

zloader

Botnet

Campaign

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain

rsa_pubkey.plain

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ebook_29.10.20.exe

description pid process target process

PID 292 created 1244 292 ebook_29.10.20.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

ebook_29.10.20.exe

description pid process target process

PID 292 set thread context of 1376 292 ebook_29.10.20.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ebook_29.10.20.exe

pid process

292 ebook_29.10.20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ebook_29.10.20.exe

description pid process

Token: SeDebugPrivilege 292 ebook_29.10.20.exe

description	pid	process	target process
PID 292 created 1244	292	ebook_29.10.20.exe	Explorer.EXE

description	pid	process	target process
PID 292 set thread context of 1376	292	ebook_29.10.20.exe	msiexec.exe

pid	process
292	ebook_29.10.20.exe

description	pid	process
Token: SeDebugPrivilege	292	ebook_29.10.20.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ebook_29.10.20.exe

description	pid	process	target process
PID 292 wrote to memory of 1376	292	ebook_29.10.20.exe	msiexec.exe
PID 292 wrote to memory of 1376	292	ebook_29.10.20.exe	msiexec.exe
PID 292 wrote to memory of 1376	292	ebook_29.10.20.exe	msiexec.exe
PID 292 wrote to memory of 1376	292	ebook_29.10.20.exe	msiexec.exe
PID 292 wrote to memory of 1376	292	ebook_29.10.20.exe	msiexec.exe
PID 292 wrote to memory of 1376	292	ebook_29.10.20.exe	msiexec.exe
PID 292 wrote to memory of 1376	292	ebook_29.10.20.exe	msiexec.exe
PID 292 wrote to memory of 1376	292	ebook_29.10.20.exe	msiexec.exe
PID 292 wrote to memory of 1376	292	ebook_29.10.20.exe	msiexec.exe

memory/292-1-0x0000000001F80000-0x0000000001F91000-memory.dmp

Filesize
68KB

Download
memory/292-2-0x0000000001F80000-0x0000000001F91000-memory.dmp

Filesize
68KB

Download
memory/1112-9-0x000007FEF6580000-0x000007FEF67FA000-memory.dmp

Filesize
2.5MB

Download
memory/1376-5-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/1376-6-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1376-7-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/1376-8-0x0000000000000000-mapping.dmp

Download