zloader | a136ba9a5582e0f317934712213eb7bd3758fad92750e02218e29671bda99957

Analysis

Target

a136ba9a5582e0f317934712213eb7bd3758fad92750e02218e29671bda99957.dll
Size

667KB
MD5

be4aefb22447f242df181e65db380687
SHA1

39699d67309a9b8817707a69a915ca0a0a57c607
SHA256

a136ba9a5582e0f317934712213eb7bd3758fad92750e02218e29671bda99957
SHA512

fe1c3667ad73732c27bc48a3a7a64a7ec25e8c0bdc057131e73cacfb01dff5828b507d91b1257f2aa09b6b2cb911ff53b6d5d29e50b32c6ef8c7bfac4eb96029

Score

10^/10

Family

zloader

Botnet

dll26

Campaign

dll26

https://eecakesconf.at/web982/gate.php

Attributes

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3984 wrote to memory of 820	3984	rundll32.exe	rundll32.exe
PID 3984 wrote to memory of 820	3984	rundll32.exe	rundll32.exe
PID 3984 wrote to memory of 820	3984	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a136ba9a5582e0f317934712213eb7bd3758fad92750e02218e29671bda99957.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a136ba9a5582e0f317934712213eb7bd3758fad92750e02218e29671bda99957.dll,#1
2⤵
PID:820

memory/260-134-0x0000000000000000-mapping.dmp

Download
memory/260-135-0x0000000000900000-0x0000000000926000-memory.dmp

Filesize
152KB

Download
memory/260-136-0x0000000000900000-0x0000000000926000-memory.dmp

Filesize
152KB

Download
memory/820-130-0x0000000000000000-mapping.dmp

Download
memory/820-131-0x0000000074FC0000-0x0000000074FE6000-memory.dmp

Filesize
152KB

Download
memory/820-132-0x0000000074FC0000-0x0000000075073000-memory.dmp

Filesize
716KB

Download
memory/820-133-0x0000000074FC0000-0x0000000075073000-memory.dmp

Filesize
716KB

Download