zloader | ccf835fbf85c0d1f433e70bb96d1c87504a228b6ca3b973e240e35073d9d86a7

Analysis

max time kernel
29s
max time network
133s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccf835fbf85c0d1f433e70bb96d1c87504a228b6ca3b973e240e35073d9d86a7.bin.dll
Size

152KB
MD5

91a56986866c5991969d52932c655d8b
SHA1

dbe55a78b9fae7fe6441490a9e98a8b99bac68ee
SHA256

ccf835fbf85c0d1f433e70bb96d1c87504a228b6ca3b973e240e35073d9d86a7
SHA512

c5843d3f5e329a92dfeb4f53c8240ce443927e54670762fff22a2b428debbe47316a7da33b3b37b837aba14b881c2fbc718dab7536323308817d315953a94044

Score

10^/10

zloader googleaktualizacija googleaktualizacija1 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

googleaktualizacija

Campaign

googleaktualizacija1

https://iqowijsdakm.ru/gate.php

https://wiewjdmkfjn.ru/gate.php

https://dksaoidiakjd.su/gate.php

https://iweuiqjdakjd.su/gate.php

https://yuidskadjna.su/gate.php

https://olksmadnbdj.su/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1056 wrote to memory of 1568	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1568	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1568	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1568	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1568	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1568	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1568	1056	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ccf835fbf85c0d1f433e70bb96d1c87504a228b6ca3b973e240e35073d9d86a7.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ccf835fbf85c0d1f433e70bb96d1c87504a228b6ca3b973e240e35073d9d86a7.bin.dll,#1
2⤵
PID:1568

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1492-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1492-1-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1492-3-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1492-4-0x0000000000000000-mapping.dmp

Download
memory/1568-0-0x0000000000000000-mapping.dmp

Download