zloader | 69c4f37bac324873c0caea8194b91f9ee804cef77ee21bdb2f8f35e5c884878c | Triage

Resubmissions

04-12-2023 13:00

231204-p8vffabc2s 10

18-04-2022 15:30

220418-sxy62adeen 10

Analysis

max time kernel
105s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-04-2022 15:30

Sharing

Report Analysis Logs

General

Target

69c4f37bac324873c0caea8194b91f9ee804cef77ee21bdb2f8f35e5c884878c.dll
Size

667KB
MD5

14329d9e980e7a427e941f7d5d71365c
SHA1

07ede188c7e143443eb8fcd9dfa347481b34fcc2
SHA256

69c4f37bac324873c0caea8194b91f9ee804cef77ee21bdb2f8f35e5c884878c
SHA512

6fa538242f02dbf469a9c9ea4ddbdaa628001796b367106d711cb5a38c507badf04194d85f5c3e277ff0742c2bf1873b8e3c68afd9ade8b998ec7c7c442c8e33

Score

10^/10

zloader dll26 dll26 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

dll26

Campaign

dll26

C2

https://eecakesconf.at/web982/gate.php

Attributes

build_id
7

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 2004	4112	rundll32.exe	79
PID 4112 wrote to memory of 2004	4112	rundll32.exe	79
PID 4112 wrote to memory of 2004	4112	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\69c4f37bac324873c0caea8194b91f9ee804cef77ee21bdb2f8f35e5c884878c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\69c4f37bac324873c0caea8194b91f9ee804cef77ee21bdb2f8f35e5c884878c.dll,#1
  2⤵
  PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-132-0x0000000074ED0000-0x0000000074F83000-memory.dmp

Filesize
716KB

Download
memory/2004-131-0x0000000074ED0000-0x0000000074EF6000-memory.dmp

Filesize
152KB

Download