zloader | 9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b

Analysis

Target

2021-03-08-Spelevo-EK-payload-ZLoader-EXE.bin.dll
Size

292KB
MD5

a552a092b08cd01310b87ee994a21bc2
SHA1

8d9b3a09a70914a0a20f42a79474abba34737206
SHA256

9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b
SHA512

fd504086bb67b7e9c6d492a3d4efa6ca56f91fd47df5b45c21451164825b6451b1d55392565c7aa47f7ed0c594ecdbc69a1753c595604118d4d9e3943af545d5

Score

10^/10

Family

zloader

Botnet

googleaktualizacija

Campaign

googleaktualizacija2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4768 wrote to memory of 4872	4768	regsvr32.exe	regsvr32.exe
PID 4768 wrote to memory of 4872	4768	regsvr32.exe	regsvr32.exe
PID 4768 wrote to memory of 4872	4768	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2021-03-08-Spelevo-EK-payload-ZLoader-EXE.bin.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2021-03-08-Spelevo-EK-payload-ZLoader-EXE.bin.dll
2⤵
PID:4872

memory/3176-5-0x0000000000000000-mapping.dmp

Download
memory/3176-6-0x0000000000640000-0x0000000000666000-memory.dmp

Filesize
152KB

Download
memory/4872-2-0x0000000000000000-mapping.dmp

Download
memory/4872-3-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4872-4-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download