zloader | e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6

General

Target

e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6.dll
Size

364KB
MD5

d00f0818093c5960cb3ea0de3b93f341
SHA1

a7bdf8da3a30ac98a0df9fd0bd50f61a330056f1
SHA256

e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6
SHA512

681fe9460252b315e6bc976793b0a594cfc501ad574b03525597aa0d5342201672811cf6bd86b5412d9a43df5500e43f28bdab1e5ca361e431532ecce5e5ca05

Score

10^/10

zloader apr09 canada botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

apr09

Campaign

Canada

C2

http://march262020.best/post.php

http://march262020.club/post.php

http://march262020.com/post.php

http://march262020.live/post.php

http://march262020.network/post.php

http://march262020.online/post.php

http://march262020.site/post.php

http://march262020.store/post.php

http://march262020.tech/post.php

Attributes

build_id
94

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 1312	1700	rundll32.exe	28

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1700	1600	rundll32.exe	27
PID 1600 wrote to memory of 1700	1600	rundll32.exe	27
PID 1600 wrote to memory of 1700	1600	rundll32.exe	27
PID 1600 wrote to memory of 1700	1600	rundll32.exe	27
PID 1600 wrote to memory of 1700	1600	rundll32.exe	27
PID 1600 wrote to memory of 1700	1600	rundll32.exe	27
PID 1600 wrote to memory of 1700	1600	rundll32.exe	27
PID 1700 wrote to memory of 1312	1700	rundll32.exe	28
PID 1700 wrote to memory of 1312	1700	rundll32.exe	28
PID 1700 wrote to memory of 1312	1700	rundll32.exe	28
PID 1700 wrote to memory of 1312	1700	rundll32.exe	28
PID 1700 wrote to memory of 1312	1700	rundll32.exe	28
PID 1700 wrote to memory of 1312	1700	rundll32.exe	28
PID 1700 wrote to memory of 1312	1700	rundll32.exe	28
PID 1700 wrote to memory of 1312	1700	rundll32.exe	28
PID 1700 wrote to memory of 1312	1700	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3c48c72d0d090ac01bff8bf6d54c08a6fedcda2e527d424d6f64a70016d2ba6.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    PID:1312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1312-61-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/1312-63-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/1312-67-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/1312-68-0x0000000000090000-0x00000000000C4000-memory.dmp

Filesize
208KB

Download
memory/1700-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1700-56-0x00000000001C0000-0x000000000022D000-memory.dmp

Filesize
436KB

Download
memory/1700-59-0x00000000001C0000-0x000000000022D000-memory.dmp

Filesize
436KB

Download
memory/1700-58-0x00000000001C0000-0x00000000001F4000-memory.dmp

Filesize
208KB

Download
memory/1700-60-0x00000000001C0000-0x000000000022D000-memory.dmp

Filesize
436KB

Download
memory/1700-65-0x00000000001C0000-0x000000000022D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing