zloader | 55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da

General

Target

55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da.dll
Size

561KB
MD5

17fed343bada88dfbfd827cc684f5d5f
SHA1

447dbb81663cb057352ddbb4770c08ed80827c0c
SHA256

55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da
SHA512

d945c600b529c6308c5cba950d18ea63ff349c5f21b15151214578a6eb7bc34f1bd703c418e369ba5d2a08fd9e38d1abb67f74ea3cf15fec5b5b1553276f0e55

Score

10^/10

Family

zloader

Botnet

08/04

C2

https://kuaxbdkvbbmivbxkrrev.com/wp-config.php

https://hwbblyyrb.pw/wp-config.php

Attributes

rc4.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2032 set thread context of 1748 2032 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1748 msiexec.exe
Token: SeSecurityPrivilege 1748 msiexec.exe

description	pid	process	target process
PID 2032 set thread context of 1748	2032	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1748	msiexec.exe
Token: SeSecurityPrivilege	1748	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2040 wrote to memory of 2032	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2032	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2032	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2032	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2032	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2032	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2032	2040	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 1748	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1748	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1748	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1748	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1748	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1748	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1748	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1748	2032	rundll32.exe	msiexec.exe
PID 2032 wrote to memory of 1748	2032	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

memory/1748-59-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1748-58-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download
memory/1748-60-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download
memory/1748-62-0x0000000000110000-0x0000000000143000-memory.dmp

Filesize
204KB

Download
memory/2032-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x00000000745E0000-0x000000007468C000-memory.dmp

Filesize
688KB

Download
memory/2032-55-0x00000000745E0000-0x0000000074613000-memory.dmp

Filesize
204KB

Download
memory/2032-57-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download