zloader | c12fdcad28de4408e7fd22c39ba6a1c6bc592fb1c1a61a83aaa59893c103c3f0

Resubmissions

07-01-2022 09:55

220107-lx6gsacba5 10

Analysis

max time kernel
43s
max time network
123s
platform
windows10_x64
resource
win10-en-20211208
submitted
07-01-2022 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

us.dll
Size

2.2MB
MD5

d2ab32cb696a12c4d3411d2712272d98
SHA1

fb2ba905ea5340fe06734924953a1333fae9385b
SHA256

c12fdcad28de4408e7fd22c39ba6a1c6bc592fb1c1a61a83aaa59893c103c3f0
SHA512

3027118fe1bdc127c44bf25b72dd076e850e81e96c92810ca46b8e80bd29223527ba8cbd71908e66cf0a72a55bfbf59934260f9442822b8e1de85844e66be856

Score

10^/10

zloader 9092us 9092us botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

9092us

Campaign

9092us

https://asdfghdsajkl.com/gate.php

https://lkjhgfgsdshja.com/gate.php

https://kjdhsasghjds.com/gate.php

https://kdjwhqejqwij.com/gate.php

https://iasudjghnasd.com/gate.php

https://daksjuggdhwa.com/gate.php

https://dkisuaggdjhna.com/gate.php

https://eiqwuggejqw.com/gate.php

https://dquggwjhdmq.com/gate.php

https://djshggadasj.com/gate.php

Attributes

build_id
157

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3208 wrote to memory of 3512	3208	regsvr32.exe	regsvr32.exe
PID 3208 wrote to memory of 3512	3208	regsvr32.exe	regsvr32.exe
PID 3208 wrote to memory of 3512	3208	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\us.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\us.dll
2⤵
PID:3512

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
PID:3488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3488-118-0x0000000000770000-0x0000000000796000-memory.dmp

Filesize
152KB

Download
memory/3488-119-0x0000000000000000-mapping.dmp

Download
memory/3488-120-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3488-121-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3488-122-0x0000000000770000-0x0000000000796000-memory.dmp

Filesize
152KB

Download
memory/3512-115-0x0000000000000000-mapping.dmp

Download
memory/3512-116-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/3512-117-0x0000000010000000-0x0000000010245000-memory.dmp

Filesize
2.3MB

Download