zloader | 6fed2a5943e866a67e408a063589378ae4ce3aa2907cc58525a1b8f423284569

General

Target

6fed2a5943e866a67e408a063589378ae4ce3aa2907cc58525a1b8f423284569.dll
Size

589KB
MD5

b0754bbc9e7a8907d94dabd286aa8e30
SHA1

8eb9adde4c5f109f7c9a27285b5da091773ad4eb
SHA256

6fed2a5943e866a67e408a063589378ae4ce3aa2907cc58525a1b8f423284569
SHA512

cac6ebce443420cb81788f1c0888d89cc391fd82d070af69b192890ee93586d7f84eb450013a019ee85d13962d39bf302e4b9ad0901aba2a8963f9b546863f78

Score

10^/10

zloader main 28.05.2020 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

28.05.2020

C2

https://pecketil.org/sound.php

https://weisnise.org/sound.php

https://erooneah.org/sound.php

https://semettyx.org/sound.php

https://dambalik.org/sound.php

https://twelicie.org/sound.php

https://reeution.org/sound.php

https://erreessi.org/sound.php

Attributes

build_id
55

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 1376	948	rundll32.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1376	msiexec.exe
Token: SeSecurityPrivilege	1376	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 948	952	rundll32.exe	27
PID 952 wrote to memory of 948	952	rundll32.exe	27
PID 952 wrote to memory of 948	952	rundll32.exe	27
PID 952 wrote to memory of 948	952	rundll32.exe	27
PID 952 wrote to memory of 948	952	rundll32.exe	27
PID 952 wrote to memory of 948	952	rundll32.exe	27
PID 952 wrote to memory of 948	952	rundll32.exe	27
PID 948 wrote to memory of 1376	948	rundll32.exe	30
PID 948 wrote to memory of 1376	948	rundll32.exe	30
PID 948 wrote to memory of 1376	948	rundll32.exe	30
PID 948 wrote to memory of 1376	948	rundll32.exe	30
PID 948 wrote to memory of 1376	948	rundll32.exe	30
PID 948 wrote to memory of 1376	948	rundll32.exe	30
PID 948 wrote to memory of 1376	948	rundll32.exe	30
PID 948 wrote to memory of 1376	948	rundll32.exe	30
PID 948 wrote to memory of 1376	948	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fed2a5943e866a67e408a063589378ae4ce3aa2907cc58525a1b8f423284569.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fed2a5943e866a67e408a063589378ae4ce3aa2907cc58525a1b8f423284569.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-55-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download
memory/948-56-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/948-57-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/948-58-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/948-59-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1376-60-0x0000000000090000-0x00000000000C5000-memory.dmp

Filesize
212KB

Download
memory/1376-61-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1376-62-0x0000000000090000-0x00000000000C5000-memory.dmp

Filesize
212KB

Download
memory/1376-64-0x0000000000090000-0x00000000000C5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing