zloader | 19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4

General

Target

19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4.dll
Size

634KB
MD5

c7492b61b4138459b9d45b085f3c79c0
SHA1

39b0ab8064f4e0d2e06775a8ef5dbc6a279db88f
SHA256

19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4
SHA512

7b22e4b582ed6ff974862caed5b90cb49437e793fd10b7fcff798edb645e5b5b0dee8690e7ba5c6e7526e9e51259037ec8489d26e1b03c7639780ad27da676ed

Score

10^/10

Family

zloader

Botnet

miguel

Campaign

08/04

C2

https://kuaxbdkvbbmivbxkrrev.com/wp-config.php

https://hwbblyyrb.pw/wp-config.php

Attributes

rc4.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1432 set thread context of 1500 1432 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1500 msiexec.exe
Token: SeSecurityPrivilege 1500 msiexec.exe

description	pid	process	target process
PID 1432 set thread context of 1500	1432	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1424 wrote to memory of 1432	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1432	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1432	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1432	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1432	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1432	1424	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 1432	1424	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1500	1432	rundll32.exe	msiexec.exe
PID 1432 wrote to memory of 1500	1432	rundll32.exe	msiexec.exe
PID 1432 wrote to memory of 1500	1432	rundll32.exe	msiexec.exe
PID 1432 wrote to memory of 1500	1432	rundll32.exe	msiexec.exe
PID 1432 wrote to memory of 1500	1432	rundll32.exe	msiexec.exe
PID 1432 wrote to memory of 1500	1432	rundll32.exe	msiexec.exe
PID 1432 wrote to memory of 1500	1432	rundll32.exe	msiexec.exe
PID 1432 wrote to memory of 1500	1432	rundll32.exe	msiexec.exe
PID 1432 wrote to memory of 1500	1432	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

memory/1432-53-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1432-55-0x0000000075280000-0x000000007533C000-memory.dmp

Filesize
752KB

Download
memory/1432-56-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1432-54-0x0000000075280000-0x00000000752B3000-memory.dmp

Filesize
204KB

Download
memory/1500-58-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1500-57-0x00000000000B0000-0x00000000000E3000-memory.dmp

Filesize
204KB

Download
memory/1500-59-0x00000000000B0000-0x00000000000E3000-memory.dmp

Filesize
204KB

Download
memory/1500-61-0x00000000000B0000-0x00000000000E3000-memory.dmp

Filesize
204KB

Download