zloader | 90c0857b9095a1a1f51d94fdbf915e33aee78d510ef0e8674d233fc1223149d7

Analysis

max time kernel
155s
max time network
156s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c0857b9095a1a1f51d94fdbf915e33aee78d510ef0e8674d233fc1223149d7.dll
Size

809KB
MD5

eeb55d19351258f514e47c03bc30be67
SHA1

64c076da46b169c13d1e933f5f420856fe2072dc
SHA256

90c0857b9095a1a1f51d94fdbf915e33aee78d510ef0e8674d233fc1223149d7
SHA512

6816c30f0338b14fff22ecc064a3e795136cf93c0afeace84a81fa68ff30996a60ff7fa670ad80ab8270b282e00e9c8eef8e4628feccacb62a0954d44321b996

Score

10^/10

zloader main 2020-06-07 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

2020-06-07

https://matarlod.org/web/data

https://datearoc.org/web/data

https://rechnecy.org/web/data

https://ramissal.org/web/data

https://raidesci.org/web/data

https://glartrot.org/web/data

https://revenapo.org/web/data

https://brenonip.org/web/data

Attributes

build_id
4

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1068 set thread context of 520	1068	rundll32.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	520	msiexec.exe
Token: SeSecurityPrivilege	520	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1068	1744	rundll32.exe	27
PID 1744 wrote to memory of 1068	1744	rundll32.exe	27
PID 1744 wrote to memory of 1068	1744	rundll32.exe	27
PID 1744 wrote to memory of 1068	1744	rundll32.exe	27
PID 1744 wrote to memory of 1068	1744	rundll32.exe	27
PID 1744 wrote to memory of 1068	1744	rundll32.exe	27
PID 1744 wrote to memory of 1068	1744	rundll32.exe	27
PID 1068 wrote to memory of 520	1068	rundll32.exe	30
PID 1068 wrote to memory of 520	1068	rundll32.exe	30
PID 1068 wrote to memory of 520	1068	rundll32.exe	30
PID 1068 wrote to memory of 520	1068	rundll32.exe	30
PID 1068 wrote to memory of 520	1068	rundll32.exe	30
PID 1068 wrote to memory of 520	1068	rundll32.exe	30
PID 1068 wrote to memory of 520	1068	rundll32.exe	30
PID 1068 wrote to memory of 520	1068	rundll32.exe	30
PID 1068 wrote to memory of 520	1068	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90c0857b9095a1a1f51d94fdbf915e33aee78d510ef0e8674d233fc1223149d7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\90c0857b9095a1a1f51d94fdbf915e33aee78d510ef0e8674d233fc1223149d7.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-58-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/520-57-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/520-59-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/520-61-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/1068-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1068-55-0x0000000000320000-0x000000000038C000-memory.dmp

Filesize
432KB

Download
memory/1068-56-0x0000000074A40000-0x0000000074B2E000-memory.dmp

Filesize
952KB

Download