zloader | fedcab6903489dca264c60d5fe04df3946248818f74f7c802b119832e715a6a8

Analysis

max time kernel
58s
max time network
121s
platform
windows7_x64
resource
win7-en-20211208
submitted
11-01-2022 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

us.dll
Size

961KB
MD5

5d9f2380da3a12c2d16dc2dd5ad4d63d
SHA1

c76d2f11c160b78a353c6e54f7cff0c6e0413dff
SHA256

fedcab6903489dca264c60d5fe04df3946248818f74f7c802b119832e715a6a8
SHA512

81649d960f5f785d57876cbf98e45bbe9b6cee649c92868e56d883f89e19af41154b2587e7ebfccafbb10821065215315818da8947ca13d9cc622e77d823708f

Score

10^/10

zloader 9092us 9092us botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

9092us

Campaign

9092us

https://asdfghdsajkl.com/gate.php

https://lkjhgfgsdshja.com/gate.php

https://kjdhsasghjds.com/gate.php

https://kdjwhqejqwij.com/gate.php

https://iasudjghnasd.com/gate.php

https://daksjuggdhwa.com/gate.php

https://dkisuaggdjhna.com/gate.php

https://eiqwuggejqw.com/gate.php

https://dquggwjhdmq.com/gate.php

https://djshggadasj.com/gate.php

Attributes

build_id
157

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1252	1304	regsvr32.exe	27
PID 1304 wrote to memory of 1252	1304	regsvr32.exe	27
PID 1304 wrote to memory of 1252	1304	regsvr32.exe	27
PID 1304 wrote to memory of 1252	1304	regsvr32.exe	27
PID 1304 wrote to memory of 1252	1304	regsvr32.exe	27
PID 1304 wrote to memory of 1252	1304	regsvr32.exe	27
PID 1304 wrote to memory of 1252	1304	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\us.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\us.dll
  2⤵
  PID:1252
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    PID:1856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1252-57-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download
memory/1252-58-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1252-59-0x0000000010000000-0x0000000010112000-memory.dmp

Filesize
1.1MB

Download
memory/1304-55-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

Filesize
8KB

Download
memory/1856-60-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download
memory/1856-61-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1856-62-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download
memory/1856-65-0x00000000000D0000-0x00000000000F6000-memory.dmp

Filesize
152KB

Download