zloader | 17a81931620ff1b6df45e02d7c2a5a451f8f19a9fb1717f8473fb284bb9b8f63

Analysis

Target

17a81931620ff1b6df45e02d7c2a5a451f8f19a9fb1717f8473fb284bb9b8f63.dll
Size

393KB
MD5

f2a53f0aa423ccd3b60cead07a9ab5b3
SHA1

072729378ab14547d1acfa58a9bd48a86aed9282
SHA256

17a81931620ff1b6df45e02d7c2a5a451f8f19a9fb1717f8473fb284bb9b8f63
SHA512

27634bdb23cbf50a231d5e3dac76c9ff48940366efdc2f69bf9a64c80a2053a8c90efe8ff492da9393ad2ef93b68b6878a73d4eab0cf7c5e1d8fe6d67722dd6b

Score

10^/10

Family

zloader

Botnet

october14

Campaign

october14

http://kentyckyderby201000.com/web/post.php

http://deemberkentyucky101.com/web/post.php

http://decemberkentuck102981.com/web/post.php

http://wingtonwelbemdon.com/web/post.php

http://donburitimesofindia.com/web/post.php

http://celtictimesofkarishan.com/web/post.php

Attributes

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1892 wrote to memory of 888	1892	rundll32.exe	rundll32.exe
PID 1892 wrote to memory of 888	1892	rundll32.exe	rundll32.exe
PID 1892 wrote to memory of 888	1892	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\17a81931620ff1b6df45e02d7c2a5a451f8f19a9fb1717f8473fb284bb9b8f63.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\17a81931620ff1b6df45e02d7c2a5a451f8f19a9fb1717f8473fb284bb9b8f63.dll,#1
2⤵
PID:888

memory/888-130-0x0000000000000000-mapping.dmp

Download
memory/888-132-0x00000000757A0000-0x000000007580C000-memory.dmp

Filesize
432KB

Download
memory/888-131-0x00000000757A0000-0x00000000757C8000-memory.dmp

Filesize
160KB

Download
memory/888-133-0x00000000757A0000-0x000000007580C000-memory.dmp

Filesize
432KB

Download