zloader | f0b6c677bac2de611e0866e849cebd64ec5454885fdd7be5bf0c1c5a17846e3a

Analysis

max time kernel
36s
max time network
140s
platform
windows7_x64
resource
win7-en-20211208
submitted
07-01-2022 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca.dll
Size

1.7MB
MD5

ca0376cce08c82a5d4c476c4922c4779
SHA1

99644ab0f8d4dde1eb11b7ff88ebd66b21d73f24
SHA256

f0b6c677bac2de611e0866e849cebd64ec5454885fdd7be5bf0c1c5a17846e3a
SHA512

80ad7465be9cfb1e9eabe46e7218c28ffdb71c75b055b9f196f33ac70c3ec80c1e4e9b9ada03d6e4b49415ad1dcea81b2b343df52851f0c2c528131725405813

Score

10^/10

zloader return return botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

return

Campaign

return

https://asdfghdsajkl.com/gate.php

https://lkjhgfgsdshja.com/gate.php

https://kjdhsasghjds.com/gate.php

https://kdjwhqejqwij.com/gate.php

https://iasudjghnasd.com/gate.php

https://daksjuggdhwa.com/gate.php

https://dkisuaggdjhna.com/gate.php

https://eiqwuggejqw.com/gate.php

https://dquggwjhdmq.com/gate.php

https://djshggadasj.com/gate.php

Attributes

build_id
157

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1576	1512	rundll32.exe	27
PID 1512 wrote to memory of 1576	1512	rundll32.exe	27
PID 1512 wrote to memory of 1576	1512	rundll32.exe	27
PID 1512 wrote to memory of 1576	1512	rundll32.exe	27
PID 1512 wrote to memory of 1576	1512	rundll32.exe	27
PID 1512 wrote to memory of 1576	1512	rundll32.exe	27
PID 1512 wrote to memory of 1576	1512	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca.dll,#1
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    PID:320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-59-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/320-58-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download
memory/320-60-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download
memory/320-63-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download
memory/1576-55-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1576-56-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1576-57-0x0000000010000000-0x00000000101C8000-memory.dmp

Filesize
1.8MB

Download