zloader | 5f7096eb3e7654bc5c7230466361b3f6f5b6ae3940aa6461e530f8849ccb21b5

Analysis

Target

5f7096eb3e7654bc5c7230466361b3f6f5b6ae3940aa6461e530f8849ccb21b5.dll
Size

541KB
MD5

dcc3090f7e614a5aec91160e412139b5
SHA1

e5add77436258e6fc7a29950a8386d12e428979d
SHA256

5f7096eb3e7654bc5c7230466361b3f6f5b6ae3940aa6461e530f8849ccb21b5
SHA512

8c221738c93c26ec81f565c7cb6a3594adcad6464dbe55060a614cfcf6f6fd528e8c410dd6ab8dbcdc6bb9d07673b7e7430da5fc83980e8b528c42709e26c6c3

Score

10^/10

Family

zloader

Botnet

nut

Campaign

16/10

https://rkhydraulic.com/gqvvjx.php

https://sadarpursangbad.com/eraksa.php

https://t20group.com/atufik.php

https://voldemarholding.ee/b6h7s1.php

https://reach-me.co/oay1hk.php

https://acpdd.cat/sv34fs.php

https://aestheticscc.com/wbbako.php

https://procalterfineb.tk/wp-smarts.php

Attributes

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2812 wrote to memory of 3184	2812	rundll32.exe	rundll32.exe
PID 2812 wrote to memory of 3184	2812	rundll32.exe	rundll32.exe
PID 2812 wrote to memory of 3184	2812	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f7096eb3e7654bc5c7230466361b3f6f5b6ae3940aa6461e530f8849ccb21b5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f7096eb3e7654bc5c7230466361b3f6f5b6ae3940aa6461e530f8849ccb21b5.dll,#1
  2⤵
  PID:3184

memory/3184-130-0x0000000000000000-mapping.dmp

Download
memory/3184-131-0x0000000075760000-0x0000000075786000-memory.dmp

Filesize
152KB

Download
memory/3184-132-0x0000000075760000-0x00000000757FD000-memory.dmp

Filesize
628KB

Download