zloader | 314ac0158727ba0bed95d244200e569e5aa9528f4c567c1c2c5cfba542fe545c

Analysis

Target

2SoXN.dll
Size

666KB
MD5

dac52df1477fe8b567b656c1da2e876f
SHA1

4b020a24c3d68b21b586a531e04d558f04de4f52
SHA256

314ac0158727ba0bed95d244200e569e5aa9528f4c567c1c2c5cfba542fe545c
SHA512

fb36eb6c6327b8e51cb5230ab5206b2fb327ff440d3e9219535b75b39bd6d03871be7069960120238072a2b0c29ba5716ba8868d02a1fc85b0a62445454cc240

Score

10^/10

Family

zloader

Botnet

nut

Campaign

13/04

https://jiaayanu.com/post.php

https://investinszeklerland.eu/post.php

https://iqs-sac.com/post.php

https://jciems.in/post.php

https://jinnahofficersschool.com/post.php

https://kancagh.com/post.php

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4656 wrote to memory of 4744	4656	rundll32.exe	rundll32.exe
PID 4656 wrote to memory of 4744	4656	rundll32.exe	rundll32.exe
PID 4656 wrote to memory of 4744	4656	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2SoXN.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2SoXN.dll,#1
  2⤵
  PID:4744

memory/4744-114-0x0000000000000000-mapping.dmp

Download
memory/4744-115-0x0000000073B90000-0x0000000073BBB000-memory.dmp

Filesize
172KB

Download
memory/4744-116-0x0000000073B90000-0x0000000073C58000-memory.dmp

Filesize
800KB

Download
memory/4744-117-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download