zloader | 1e556f1e19659679408a52f59fce761ad304fecfd563566aa000bd70895ac20b | Triage

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
04-03-2021 02:42

Sharing

Report Analysis Logs

General

Target

95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Size

260KB
MD5

9e9719483cc24dc0ab94b31f76981f42
SHA1

dad2cbcedfa94a2d2f0fde521d6f57a094d7c85b
SHA256

95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9
SHA512

83cff2d55df7d40aea1357515cc673792b367718e57624a2eedd531fd51c49ff165e5e69065efa09148d550644ea1106f54dea35aaadcebaa9ed911532c44309

Score

10^/10

zloader 25/03 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 616 set thread context of 532 616 regsvr32.exe msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1968 wrote to memory of 616	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 616	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 616	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 616	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 616	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 616	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 616	1968	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 532	616	regsvr32.exe	msiexec.exe
PID 616 wrote to memory of 532	616	regsvr32.exe	msiexec.exe
PID 616 wrote to memory of 532	616	regsvr32.exe	msiexec.exe
PID 616 wrote to memory of 532	616	regsvr32.exe	msiexec.exe
PID 616 wrote to memory of 532	616	regsvr32.exe	msiexec.exe
PID 616 wrote to memory of 532	616	regsvr32.exe	msiexec.exe
PID 616 wrote to memory of 532	616	regsvr32.exe	msiexec.exe
PID 616 wrote to memory of 532	616	regsvr32.exe	msiexec.exe
PID 616 wrote to memory of 532	616	regsvr32.exe	msiexec.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
PID:532

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-5-0x0000000000000000-mapping.dmp

Download
memory/532-7-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/616-3-0x0000000000000000-mapping.dmp

Download
memory/616-4-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1968-2-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download