zloader | a240d581a1bf7b126aa030b1c796e013febb2145da16dd4d4842e5c3502943d7

General

Target

a240d581a1bf7b126aa030b1c796e013febb2145da16dd4d4842e5c3502943d7.dll
Size

529KB
MD5

ef0854d5e9d04be20e6676738096a021
SHA1

efa00fb74bd6f635cfd4400df3c56fa35caae10f
SHA256

a240d581a1bf7b126aa030b1c796e013febb2145da16dd4d4842e5c3502943d7
SHA512

fa16a0228ecbc26621a1cb0cc5177c39498083839d60e6aafbec184427a8fab87f031aa0187d4b9c42cef17ac6e9e7b4fb5c9103b75278cd6094b36d49afca20

Score

10^/10

zloader main 18.05.2020 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

18.05.2020

C2

https://sigmark.org/sound.php

https://perditta.org/sound.php

https://dentatox.org/sound.php

https://flopperos.org/sound.php

https://teslatis.org/sound.php

https://teamper.org/sound.php

https://gilantec.org/sound.php

https://trebitmore.org/sound.php

Attributes

build_id
54

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1808	900	rundll32.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1808	msiexec.exe
Token: SeSecurityPrivilege	1808	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 900	1728	rundll32.exe	27
PID 1728 wrote to memory of 900	1728	rundll32.exe	27
PID 1728 wrote to memory of 900	1728	rundll32.exe	27
PID 1728 wrote to memory of 900	1728	rundll32.exe	27
PID 1728 wrote to memory of 900	1728	rundll32.exe	27
PID 1728 wrote to memory of 900	1728	rundll32.exe	27
PID 1728 wrote to memory of 900	1728	rundll32.exe	27
PID 900 wrote to memory of 1808	900	rundll32.exe	30
PID 900 wrote to memory of 1808	900	rundll32.exe	30
PID 900 wrote to memory of 1808	900	rundll32.exe	30
PID 900 wrote to memory of 1808	900	rundll32.exe	30
PID 900 wrote to memory of 1808	900	rundll32.exe	30
PID 900 wrote to memory of 1808	900	rundll32.exe	30
PID 900 wrote to memory of 1808	900	rundll32.exe	30
PID 900 wrote to memory of 1808	900	rundll32.exe	30
PID 900 wrote to memory of 1808	900	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a240d581a1bf7b126aa030b1c796e013febb2145da16dd4d4842e5c3502943d7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a240d581a1bf7b126aa030b1c796e013febb2145da16dd4d4842e5c3502943d7.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/900-55-0x0000000000420000-0x0000000000455000-memory.dmp

Filesize
212KB

Download
memory/900-56-0x0000000000420000-0x0000000000455000-memory.dmp

Filesize
212KB

Download
memory/900-57-0x0000000000390000-0x00000000003C1000-memory.dmp

Filesize
196KB

Download
memory/900-58-0x0000000000420000-0x0000000000455000-memory.dmp

Filesize
212KB

Download
memory/1808-59-0x0000000000090000-0x00000000000C5000-memory.dmp

Filesize
212KB

Download
memory/1808-60-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1808-61-0x0000000000090000-0x00000000000C5000-memory.dmp

Filesize
212KB

Download
memory/1808-63-0x0000000000090000-0x00000000000C5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing