zloader | 4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954

Analysis

Target

4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe
Size

260KB
MD5

b45802e885542ea5f4bf5f3fe11b01cf
SHA1

cb41a9cdfd28a228f6bc3c5d5f857ec4389e7ffc
SHA256

4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954
SHA512

33a89ec1a0584dc7bcdb837915415c5cb0b7d1eb9b570ff5e624827e18c5135aa12944ff9b6c1056723de4b2280cd433cc986daedd3d1f0a373cf5b3f123c1ee

Score

10^/10

Family

zloader

Attributes

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1644	msiexec.exe
Token: SeSecurityPrivilege	1644	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29
PID 1388 wrote to memory of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29
PID 1388 wrote to memory of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29
PID 1388 wrote to memory of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29
PID 1388 wrote to memory of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29
PID 1388 wrote to memory of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29
PID 1388 wrote to memory of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29
PID 1388 wrote to memory of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29
PID 1388 wrote to memory of 1644	1388	4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe	29

C:\Users\Admin\AppData\Local\Temp\4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe
"C:\Users\Admin\AppData\Local\Temp\4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644

memory/1388-55-0x00000000758A1000-0x00000000758A3000-memory.dmp

Filesize
8KB

Download
memory/1388-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1388-57-0x00000000002A0000-0x00000000002CC000-memory.dmp

Filesize
176KB

Download
memory/1644-58-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1644-59-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1644-60-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1644-62-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download