zloader | b7824362cae4aa551d8dc5853928f4d7bae5cbddf72c00776f740abfab8b0401

Analysis

Target

b7824362cae4aa551d8dc5853928f4d7bae5cbddf72c00776f740abfab8b0401.dll
Size

300KB
MD5

5f92662f99a4c56c1ea0f682369716da
SHA1

3d44ed670a81ed475e8399a787a7c05b3b2fb397
SHA256

b7824362cae4aa551d8dc5853928f4d7bae5cbddf72c00776f740abfab8b0401
SHA512

766cc3792d8c3993167e445f655a9f49d11bf38581eac50017ac635b46abc740450fb375bc1fa4c6b828b61e982c32f525adbda5a8f33b4efa04b2949b93a0aa

Score

10^/10

Family

zloader

Botnet

nut

Campaign

09/10

https://1stsecuritysolutions.co.uk/17vfj3.php

https://aplusevents.com.au/elxbmr.php

https://autoescolatopsul.com.br/zsog59.php

https://avecla.es/d3k34t.php

https://triccirohepe.tk/wp-smarts.php

https://botchicoffee.com/fmsbdt.php

https://buddingreport.com/yxewxx.php

Attributes

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1540 wrote to memory of 4560	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 4560	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 4560	1540	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7824362cae4aa551d8dc5853928f4d7bae5cbddf72c00776f740abfab8b0401.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7824362cae4aa551d8dc5853928f4d7bae5cbddf72c00776f740abfab8b0401.dll,#1
  2⤵
  PID:4560

memory/4560-130-0x0000000000000000-mapping.dmp

Download
memory/4560-132-0x0000000074940000-0x00000000749EA000-memory.dmp

Filesize
680KB

Download
memory/4560-131-0x0000000074940000-0x0000000074968000-memory.dmp

Filesize
160KB

Download