zloader | 72c6263c691245f4b8bb28faf17e5140393f6906cd976a5a71efc6da76964f8a

Analysis

Target

72c6263c691245f4b8bb28faf17e5140393f6906cd976a5a71efc6da76964f8a.dll
Size

636KB
MD5

7aa4d61b349fe9ae9249d084bdfbab0f
SHA1

e0f1294e23ac717b41a87484b8444fe403db328d
SHA256

72c6263c691245f4b8bb28faf17e5140393f6906cd976a5a71efc6da76964f8a
SHA512

6f627c83f39e493cbace6be0b93058b80f9d8a9988a83df6459da3804fd16e1c9ae0edd330e6d6e1f5ced8e2d8a12b7f913bce821cf310ab562c3e7887063a4c

Score

10^/10

Family

zloader

Botnet

divader

Campaign

poll

https://fqnceas.su/gate.php

https://fqlocpeas.ru/gate.php

https://dksaiijn.ru/gate.php

https://dksafjasnf.su/gate.php

https://fjsafasfsa.ru/gate.php

https://fjskoijafsa.ru/gate.php

https://kochamkkkras.ru/gate.php

https://uookqihwdid.ru/gate.php

https://iqowijsdakm.ru/gate.php

https://wiewjdmkfjn.ru/gate.php

Attributes

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2220 wrote to memory of 4212	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 4212	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 4212	2220	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72c6263c691245f4b8bb28faf17e5140393f6906cd976a5a71efc6da76964f8a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\72c6263c691245f4b8bb28faf17e5140393f6906cd976a5a71efc6da76964f8a.dll,#1
  2⤵
  PID:4212

memory/4212-130-0x0000000000000000-mapping.dmp

Download
memory/4212-131-0x0000000000910000-0x000000000095B000-memory.dmp

Filesize
300KB

Download
memory/4212-132-0x0000000002290000-0x00000000022B9000-memory.dmp

Filesize
164KB

Download