zloader | 71cff9414b7367b65c96e8e98a2ee019f44eaa7e0d7d0f2d086a517c0d7cffb7

Analysis

max time kernel
110s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71cff9414b7367b65c96e8e98a2ee019f44eaa7e0d7d0f2d086a517c0d7cffb7.dll
Size

541KB
MD5

a6edb6cb8f14e1a7cee7427ffafacb23
SHA1

0edeb470ec8736417ad1eb02a7c2191c2e92529f
SHA256

71cff9414b7367b65c96e8e98a2ee019f44eaa7e0d7d0f2d086a517c0d7cffb7
SHA512

ec6e5b1c841c08f26584fc0f7baa2aa6a70098ba1d1fb06880758dbce9bc80911f94ee6b5eddbd9679ee0eeb080ad43de40ebf2d726a744a57c3f3b801828142

Score

10^/10

zloader nut 16/10 botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

nut

Campaign

16/10

https://rkhydraulic.com/gqvvjx.php

https://sadarpursangbad.com/eraksa.php

https://t20group.com/atufik.php

https://voldemarholding.ee/b6h7s1.php

https://reach-me.co/oay1hk.php

https://acpdd.cat/sv34fs.php

https://aestheticscc.com/wbbako.php

https://procalterfineb.tk/wp-smarts.php

Attributes

build_id
170

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1728 wrote to memory of 1792	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1792	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1792	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1792	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1792	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1792	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1792	1728	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71cff9414b7367b65c96e8e98a2ee019f44eaa7e0d7d0f2d086a517c0d7cffb7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71cff9414b7367b65c96e8e98a2ee019f44eaa7e0d7d0f2d086a517c0d7cffb7.dll,#1
2⤵
PID:1792

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-54-0x0000000000000000-mapping.dmp

Download
memory/1792-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1792-57-0x0000000074E60000-0x0000000074EFD000-memory.dmp

Filesize
628KB

Download
memory/1792-56-0x0000000074E60000-0x0000000074E86000-memory.dmp

Filesize
152KB

Download
memory/1792-58-0x0000000074E60000-0x0000000074EFD000-memory.dmp

Filesize
628KB

Download