zloader | b270e245132cf6624fc96642532a00c0a16681f59542220ad2c389d45865141f

Target

b270e245132cf6624fc96642532a00c0a16681f59542220ad2c389d45865141f.dll
Size

298KB
MD5

a80859c1cd44daad1450948a1276bc0d
SHA1

46396892b9cafb2e59b8f667ec7822d0435384bb
SHA256

b270e245132cf6624fc96642532a00c0a16681f59542220ad2c389d45865141f
SHA512

ce68470318b8472b30aeee8778802ca4c9175f075a9c19c8332a08a6a8518a2f157a9e2ccaedba1d42f83f591d3c5f233ee1b8b8fbb90589aae82c9dea68352c

Score

10^/10

Malware Config

Family

zloader

Botnet

nut

Campaign

22/03

https://svilapp.svgipsar.org/post.php

https://nadar-gis.com/post.php

https://crearqarquitectos.com/post.php

https://crown-sign.com/post.php

https://dainikjahan.com/post.php

https://denatureedutech.com/post.php

https://alekllemtilaro.tk/post.php

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blocklisted process makes network request 25 IoCs

Processes:

msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 812 set thread context of 1768 812 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1768 msiexec.exe
Token: SeSecurityPrivilege 1768 msiexec.exe

description	pid	process	target process
PID 812 set thread context of 1768	812	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1768	msiexec.exe
Token: SeSecurityPrivilege	1768	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1620 wrote to memory of 812	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 812	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 812	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 812	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 812	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 812	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 812	1620	rundll32.exe	rundll32.exe
PID 812 wrote to memory of 1768	812	rundll32.exe	msiexec.exe
PID 812 wrote to memory of 1768	812	rundll32.exe	msiexec.exe
PID 812 wrote to memory of 1768	812	rundll32.exe	msiexec.exe
PID 812 wrote to memory of 1768	812	rundll32.exe	msiexec.exe
PID 812 wrote to memory of 1768	812	rundll32.exe	msiexec.exe
PID 812 wrote to memory of 1768	812	rundll32.exe	msiexec.exe
PID 812 wrote to memory of 1768	812	rundll32.exe	msiexec.exe
PID 812 wrote to memory of 1768	812	rundll32.exe	msiexec.exe
PID 812 wrote to memory of 1768	812	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b270e245132cf6624fc96642532a00c0a16681f59542220ad2c389d45865141f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

memory/812-53-0x0000000000000000-mapping.dmp

Download
memory/812-54-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/812-55-0x00000000751F0000-0x000000007521B000-memory.dmp

Filesize
172KB

Download
memory/812-56-0x00000000751F0000-0x0000000075295000-memory.dmp

Filesize
660KB

Download
memory/812-57-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1768-59-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1768-58-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download
memory/1768-60-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download
memory/1768-61-0x0000000000000000-mapping.dmp

Download
memory/1768-63-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download