zloader | f00cb68eaca0ed077b858cb2211c72bd88c6e8c33c5ac395eca7af9811855dc2 | Triage

Resubmissions

04-12-2023 13:41

231204-qzbseabe79 10

04-12-2023 13:38

231204-qxf94sbd8s 10

31-10-2023 10:26

231031-mggn6ahc65 10

10-08-2023 17:11

230810-vqh8cahc9s 10

10-08-2023 16:29

230810-tze2lsfa39 10

14-12-2020 12:28

201214-tqnw85bqbe 10

Analysis

max time kernel
102s
max time network
14s
platform
windows7_x64
resource
win7v20201028
submitted
14-12-2020 12:28

Sharing

Report Analysis Logs

General

Target

a45285ccb16e3f56baf9d092245cf205.dll
Size

667KB
MD5

a45285ccb16e3f56baf9d092245cf205
SHA1

6b8a73888f211dc17e7ac7dd7e6952bd8bc94232
SHA256

f00cb68eaca0ed077b858cb2211c72bd88c6e8c33c5ac395eca7af9811855dc2
SHA512

c7ed9e2d37222820b8fdc4b8f00a72cf9cc5d7c83d12640b7f9dce68519cc90dd4eef64e0fd9494d0305a6871bae4f142289cf3d8c8e42d68123f068466e7c38

Score

10^/10

zloader dll26 dll26 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

dll26

Campaign

dll26

C2

https://eecakesconf.at/web982/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 800 wrote to memory of 328	800	rundll32.exe	rundll32.exe
PID 800 wrote to memory of 328	800	rundll32.exe	rundll32.exe
PID 800 wrote to memory of 328	800	rundll32.exe	rundll32.exe
PID 800 wrote to memory of 328	800	rundll32.exe	rundll32.exe
PID 800 wrote to memory of 328	800	rundll32.exe	rundll32.exe
PID 800 wrote to memory of 328	800	rundll32.exe	rundll32.exe
PID 800 wrote to memory of 328	800	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a45285ccb16e3f56baf9d092245cf205.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a45285ccb16e3f56baf9d092245cf205.dll,#1
2⤵
PID:328

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
PID:1292

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/328-2-0x0000000000000000-mapping.dmp

Download
memory/1292-3-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/1292-4-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1292-5-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/1292-6-0x0000000000000000-mapping.dmp

Download