zloader | cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8

Analysis

Target

cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll
Size

183KB
MD5

d21ed162fd0252e22f31cf7a9cae5540
SHA1

abe719477bf2f69765f401b400759cb71117bff7
SHA256

cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8
SHA512

8751aa81aa6d53ae9e2fc0424d957a39a365ccba0680e18f0702eab26e48e317a0ca35d61f49197f59c24cc00893d91e06e34568fb5454f80b9c94dd3bc10a68

Score

10^/10

Family

zloader

Botnet

07/04

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 2276 set thread context of 2480 2276 regsvr32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 2480 msiexec.exe
Token: SeSecurityPrivilege 2480 msiexec.exe

description	pid	process	target process
PID 2276 set thread context of 2480	2276	regsvr32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	2480	msiexec.exe
Token: SeSecurityPrivilege	2480	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1304 wrote to memory of 2276	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 2276	1304	regsvr32.exe	regsvr32.exe
PID 1304 wrote to memory of 2276	1304	regsvr32.exe	regsvr32.exe
PID 2276 wrote to memory of 2480	2276	regsvr32.exe	msiexec.exe
PID 2276 wrote to memory of 2480	2276	regsvr32.exe	msiexec.exe
PID 2276 wrote to memory of 2480	2276	regsvr32.exe	msiexec.exe
PID 2276 wrote to memory of 2480	2276	regsvr32.exe	msiexec.exe
PID 2276 wrote to memory of 2480	2276	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

memory/2276-0-0x0000000000000000-mapping.dmp

Download
memory/2480-1-0x0000000000450000-0x0000000000483000-memory.dmp

Filesize
204KB

Download
memory/2480-2-0x0000000000000000-mapping.dmp

Download