zloader | bf0993a3313cbea3ad2edb35657e66574bb88b4a0bd21134a72969b5b8f4be14 | Triage

Analysis

max time kernel
106s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-04-2022 15:30

Sharing

Report Analysis Logs

General

Target

bf0993a3313cbea3ad2edb35657e66574bb88b4a0bd21134a72969b5b8f4be14.dll
Size

667KB
MD5

21b83a88c298e9c0a3b2a3b5e08825e0
SHA1

d34b71691a0cdc8fce8eef97f1c84bfa467a7ac1
SHA256

bf0993a3313cbea3ad2edb35657e66574bb88b4a0bd21134a72969b5b8f4be14
SHA512

34035bca3741a01aacdb026fff43b9160b3dadb67b2ff82646c5c6e930a39b9120b90940e0c64c9947489bb81830230c609e99d04788b71ca4f7c7120ecc0c0c

Score

10^/10

zloader dll26 dll26 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

dll26

Campaign

dll26

C2

https://eecakesconf.at/web982/gate.php

Attributes

build_id
7

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 4564	1976	rundll32.exe	80
PID 1976 wrote to memory of 4564	1976	rundll32.exe	80
PID 1976 wrote to memory of 4564	1976	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf0993a3313cbea3ad2edb35657e66574bb88b4a0bd21134a72969b5b8f4be14.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf0993a3313cbea3ad2edb35657e66574bb88b4a0bd21134a72969b5b8f4be14.dll,#1
  2⤵
  PID:4564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4564-132-0x00000000754E0000-0x0000000075593000-memory.dmp

Filesize
716KB

Download
memory/4564-131-0x00000000754E0000-0x0000000075506000-memory.dmp

Filesize
152KB

Download