Analysis
-
max time kernel
83s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-05-2021 14:08
General
-
Target
ZLoader.dll
-
Size
400KB
-
MD5
3b77d25a150d4d455c47826189a067c4
-
SHA1
68e137be0f581effb9e2c88d99a66059cbd5ce3d
-
SHA256
28e2cca389fced68919126d4cd524d399c19da7930737c1297b71e23789f7f84
-
SHA512
854587bd6229e49e0882e3c2c4e3735ff822e035ec76daa1129fe82f19d05fa6cf6232b61d2636445423c9d9b57db327b72d1246a1ebb539f37d7d1f97f95d27
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
nut
Campaign
12/11
C2
https://tfbuildingjoinery.co.uk/robots.php
https://globalpacificproperties.com.au/terms.php
https://www.loonybinforum.com/errors.php
https://luminousintent.com.au/wp-smarts.php
https://espazioabierto.com/wp-smarts.php
https://racriporrosepo.tk/wp-smarts.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ZLoader.dll,#11⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ZLoader.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1828-64-0x0000000000000000-mapping.dmp
-
memory/1828-66-0x00000000000D0000-0x00000000000F6000-memory.dmpFilesize
152KB
-
memory/1964-60-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/1964-59-0x0000000000000000-mapping.dmp
-
memory/1964-62-0x0000000010000000-0x0000000010076000-memory.dmpFilesize
472KB
-
memory/1964-61-0x0000000010000000-0x0000000010026000-memory.dmpFilesize
152KB
-
memory/1964-63-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB