zloader | dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827

General

Target

dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827.dll
Size

648KB
MD5

041ebd55472e90b6539ed5d520c01f99
SHA1

94cd854b532681dfce63dcd26275ffe735c2cfc2
SHA256

dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827
SHA512

371e5d64c9857b5c417a1080f97911a24c0001d60a989052bafe336264b1a858304f7abb1944de6d799e5e8019c78c32e58103d64dc32ee731cd14e2e33856d7

Score

10^/10

Family

zloader

Botnet

miguel

Campaign

10/04

C2

https://gynrhcoe.pw/wp-config.php

https://wlqaqife.icu/wp-config.php

Attributes

rc4.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1752 set thread context of 1224 1752 rundll32.exe msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeSecurityPrivilege 1224 msiexec.exe
Token: SeSecurityPrivilege 1224 msiexec.exe

description	pid	process	target process
PID 1752 set thread context of 1224	1752	rundll32.exe	msiexec.exe

description	pid	process
Token: SeSecurityPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	1224	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1976 wrote to memory of 1752	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1752	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1752	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1752	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1752	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1752	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1752	1976	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 1224	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 1224	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 1224	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 1224	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 1224	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 1224	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 1224	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 1224	1752	rundll32.exe	msiexec.exe
PID 1752 wrote to memory of 1224	1752	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbe9477ae91c832c2f8749829b9300435efda9299c6dd2b1bd06d49452083827.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

memory/1224-59-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/1224-61-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/1224-62-0x0000000000000000-mapping.dmp

Download
memory/1224-65-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/1224-66-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/1752-54-0x0000000000000000-mapping.dmp

Download
memory/1752-55-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1752-56-0x0000000074960000-0x0000000074994000-memory.dmp

Filesize
208KB

Download
memory/1752-57-0x0000000074960000-0x0000000074A19000-memory.dmp

Filesize
740KB

Download
memory/1752-58-0x0000000074960000-0x0000000074A19000-memory.dmp

Filesize
740KB

Download
memory/1752-63-0x0000000074960000-0x0000000074A19000-memory.dmp

Filesize
740KB

Download