zloader | 795268d44a8c63129e72dcc0a832bfd20526745c5dc3bfda17eacbd19acc85b8

Analysis

Target

795268d44a8c63129e72dcc0a832bfd20526745c5dc3bfda17eacbd19acc85b8.dll
Size

277KB
MD5

483dba96a462faa4a9023caa518b0ee4
SHA1

cafb62e91fd58cf4b6d3b5a5bcd41cf89165cc32
SHA256

795268d44a8c63129e72dcc0a832bfd20526745c5dc3bfda17eacbd19acc85b8
SHA512

a20ffd1ad4eef318528efdbc54042fc250ac67e5b59540e916ec6abd902cad0673d055223cb54fea2a35a6db5063381720f0325c5adb7a93df3d9f8f9c55e220

Score

10^/10

Family

zloader

Botnet

nut

Campaign

30/10

https://creditoacumuladoicms.com.br/npnegt.php

https://morgadoent.co.za/fp3jsl.php

https://access-one.us/clkgmw.php

https://amazonuniverse.in/dgxcee.php

https://ntandingsundhosmala.tk/wp-smarts.php

Attributes

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4720 wrote to memory of 2508	4720	rundll32.exe	rundll32.exe
PID 4720 wrote to memory of 2508	4720	rundll32.exe	rundll32.exe
PID 4720 wrote to memory of 2508	4720	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\795268d44a8c63129e72dcc0a832bfd20526745c5dc3bfda17eacbd19acc85b8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\795268d44a8c63129e72dcc0a832bfd20526745c5dc3bfda17eacbd19acc85b8.dll,#1
2⤵
PID:2508

memory/2508-131-0x0000000000000000-mapping.dmp

Download
memory/2508-132-0x0000000074CC0000-0x0000000074CE6000-memory.dmp

Filesize
152KB

Download
memory/2508-133-0x0000000074CC0000-0x0000000074D5E000-memory.dmp

Filesize
632KB

Download
memory/2508-134-0x0000000074CC0000-0x0000000074D5E000-memory.dmp

Filesize
632KB

Download