zloader | 24c57cf9a9fd72827ced5f95796cf333089f076c660bf06b5e7d071a4d5fc102

Analysis

Target

c43c3c195e838ef81a36c1434fa7395c.dll
Size

952KB
MD5

c43c3c195e838ef81a36c1434fa7395c
SHA1

c9accdc1204579d13440df22e4892fcc2082dc7c
SHA256

24c57cf9a9fd72827ced5f95796cf333089f076c660bf06b5e7d071a4d5fc102
SHA512

5ec2613176ddf8ca9ae331823cb7b62d436ea007850e60a9aeeee0bf23c827a2e3c1eb422594bdd3ec4c86f7688d91f3e8a3c6b2435c46078069c53947a1739f

Score

10^/10

Family

zloader

Botnet

vasja

Campaign

vasja

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 568 wrote to memory of 892	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 892	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 892	568	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c43c3c195e838ef81a36c1434fa7395c.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\c43c3c195e838ef81a36c1434fa7395c.dll
2⤵
PID:892

memory/892-114-0x0000000000000000-mapping.dmp

Download
memory/892-115-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/892-116-0x0000000010000000-0x0000000010155000-memory.dmp

Filesize
1.3MB

Download