zloader | 2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2

General

Target

2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2.dll
Size

375KB
MD5

6947ee4228ab808e9c91d9d6cd7f6f21
SHA1

006fee40df6b2908d5a6a945fd47ddfe2f32f533
SHA256

2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2
SHA512

f8c9618ad79a6b0ac574f59e6d06b8e56b037bd5f388122acc66928e2db913e1630fcd3f92078e53913fab71aaa680968c20be0ecc0f0375fc93a373280b6e8c

Score

10^/10

zloader caspam caspam botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

CASPAM

Campaign

CASPAM

C2

http://marchadvertisingnetwork4.com/post.php

http://marchadvertisingnetwork5.com/post.php

http://marchadvertisingnetwork6.com/post.php

http://marchadvertisingnetwork7.com/post.php

http://marchadvertisingnetwork8.com/post.php

http://marchadvertisingnetwork9.com/post.php

http://marchadvertisingnetwork10.com/post.php

Attributes

build_id
24

rc4.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1972 set thread context of 1416 1972 rundll32.exe msiexec.exe

description	pid	process	target process
PID 1972 set thread context of 1416	1972	rundll32.exe	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1936 wrote to memory of 1972	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1972	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1972	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1972	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1972	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1972	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1972	1936	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 1416	1972	rundll32.exe	msiexec.exe
PID 1972 wrote to memory of 1416	1972	rundll32.exe	msiexec.exe
PID 1972 wrote to memory of 1416	1972	rundll32.exe	msiexec.exe
PID 1972 wrote to memory of 1416	1972	rundll32.exe	msiexec.exe
PID 1972 wrote to memory of 1416	1972	rundll32.exe	msiexec.exe
PID 1972 wrote to memory of 1416	1972	rundll32.exe	msiexec.exe
PID 1972 wrote to memory of 1416	1972	rundll32.exe	msiexec.exe
PID 1972 wrote to memory of 1416	1972	rundll32.exe	msiexec.exe
PID 1972 wrote to memory of 1416	1972	rundll32.exe	msiexec.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
PID:1416

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1416-59-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1416-61-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1416-62-0x0000000000000000-mapping.dmp

Download
memory/1416-65-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1972-54-0x0000000000000000-mapping.dmp

Download
memory/1972-55-0x0000000074DD1000-0x0000000074DD3000-memory.dmp

Filesize
8KB

Download
memory/1972-57-0x00000000748C0000-0x000000007493D000-memory.dmp

Filesize
500KB

Download
memory/1972-56-0x00000000748C0000-0x00000000748F0000-memory.dmp

Filesize
192KB

Download
memory/1972-58-0x00000000748C0000-0x000000007493D000-memory.dmp

Filesize
500KB

Download
memory/1972-63-0x00000000748C0000-0x000000007493D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing