zloader | e5af4868fc46a5a675d9e93c4e45b9fef7043fe2263ad0bd9469082c00d74139

Analysis

Target

1391343.dll
Size

500KB
MD5

c91aa7c80fa2e6fbf094040caeabca14
SHA1

aaa87f6e2b6f923df5aa4b92ebe70bb744d1f311
SHA256

e5af4868fc46a5a675d9e93c4e45b9fef7043fe2263ad0bd9469082c00d74139
SHA512

10bef80585a6ca2cf32c3a526aeca4072d108c8c488a5b5e9744a487cdfc48a1f3ce5935e33f7ae5b0d961e2b291c0c79c882df3f1a64f54c4adb6d49b1e1ac1

Score

10^/10

Family

zloader

Botnet

googleaktualizacija

Campaign

googleaktualizacija2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1924 wrote to memory of 1200	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1200	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1200	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1200	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1200	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1200	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 1200	1924	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1391343.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\1391343.dll
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    PID:1100

memory/368-11-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download
memory/1100-8-0x0000000000000000-mapping.dmp

Download
memory/1100-10-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1200-3-0x0000000000000000-mapping.dmp

Download
memory/1200-4-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1200-5-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1200-6-0x0000000000431000-0x000000000044D000-memory.dmp

Filesize
112KB

Download
memory/1200-7-0x0000000000430000-0x00000000004C0000-memory.dmp

Filesize
576KB

Download
memory/1924-2-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

Filesize
8KB

Download