zloader | 1b4e008beb2b395e53648c9a246ecafcb3df0543c5236a40cdb976a2007bbf97

Analysis

Target

SecuriteInfo.com.Trojan.Dridex.704.28108.28988.dll
Size

647KB
MD5

979310d723bfe499e26f9d1c773eb567
SHA1

4bbac2dc71b965de292f96cb1b711d7ae979f534
SHA256

1b4e008beb2b395e53648c9a246ecafcb3df0543c5236a40cdb976a2007bbf97
SHA512

864484d606a1332606ba33130099f5eaa26dc03979fe6857b588094295bbce3bf83905e6cc57221155d8fecafa63600ec4dd633af956e83272dc873ca55e02db

Score

10^/10

Family

zloader

Botnet

bot5

Campaign

bot5

https://militanttra.at/owg.php

rc4.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1664 set thread context of 1304 1664 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1304 msiexec.exe
Token: SeSecurityPrivilege 1304 msiexec.exe

description	pid	process	target process
PID 1664 set thread context of 1304	1664	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1304	msiexec.exe
Token: SeSecurityPrivilege	1304	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1764 wrote to memory of 1664	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 1664	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 1664	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 1664	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 1664	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 1664	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 1664	1764	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 1304	1664	rundll32.exe	msiexec.exe
PID 1664 wrote to memory of 1304	1664	rundll32.exe	msiexec.exe
PID 1664 wrote to memory of 1304	1664	rundll32.exe	msiexec.exe
PID 1664 wrote to memory of 1304	1664	rundll32.exe	msiexec.exe
PID 1664 wrote to memory of 1304	1664	rundll32.exe	msiexec.exe
PID 1664 wrote to memory of 1304	1664	rundll32.exe	msiexec.exe
PID 1664 wrote to memory of 1304	1664	rundll32.exe	msiexec.exe
PID 1664 wrote to memory of 1304	1664	rundll32.exe	msiexec.exe
PID 1664 wrote to memory of 1304	1664	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Dridex.704.28108.28988.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304

memory/1304-2-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1304-1-0x00000000000D0000-0x0000000000107000-memory.dmp

Filesize
220KB

Download
memory/1304-3-0x00000000000D0000-0x0000000000107000-memory.dmp

Filesize
220KB

Download
memory/1304-4-0x0000000000000000-mapping.dmp

Download
memory/1348-5-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmp

Filesize
2.5MB

Download
memory/1664-0-0x0000000000000000-mapping.dmp

Download