zloader | 84e0da69f087625607c97c889e3e640d49e2718c568ad4d463100de44721df20

Analysis

max time kernel
20s
max time network
148s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 17:41

Target

84e0da69f087625607c97c889e3e640d49e2718c568ad4d463100de44721df20.dll
Size

596KB
MD5

1848710f7840771b98a7479c4ee1a921
SHA1

508964276e7da323de16f6d3f25534c92fc4576d
SHA256

84e0da69f087625607c97c889e3e640d49e2718c568ad4d463100de44721df20
SHA512

78a2ce199be94b637ba3f42b6f0da399dfea93e12dc744c0cebdaae1ba8c81a1a3021ca3e5182605fa670f0e5d047f7a31cc62b1f27976aec4144bbb8434facb
SSDEEP

12288:8L3o6XSk12WACq+6eYuHyAUStUeinhn6:M3o6J12jC5JLHDUAUY

Score

10^/10

Family

zloader

Botnet

googleaktualizacija

Campaign

googleaktualizacija2

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

Attributes

rc4.plain

rsa_pubkey.plain

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1740 wrote to memory of 1284	1740	regsvr32.exe	regsvr32.exe
PID 1740 wrote to memory of 1284	1740	regsvr32.exe	regsvr32.exe
PID 1740 wrote to memory of 1284	1740	regsvr32.exe	regsvr32.exe
PID 1740 wrote to memory of 1284	1740	regsvr32.exe	regsvr32.exe
PID 1740 wrote to memory of 1284	1740	regsvr32.exe	regsvr32.exe
PID 1740 wrote to memory of 1284	1740	regsvr32.exe	regsvr32.exe
PID 1740 wrote to memory of 1284	1740	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\84e0da69f087625607c97c889e3e640d49e2718c568ad4d463100de44721df20.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\84e0da69f087625607c97c889e3e640d49e2718c568ad4d463100de44721df20.dll
2⤵
PID:1284

memory/1284-60-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/1284-61-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/1284-56-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1284-57-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/1284-58-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/1284-59-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/1284-55-0x0000000000000000-mapping.dmp

Download
memory/1284-67-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/1668-62-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1668-64-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1668-65-0x0000000000000000-mapping.dmp

Download
memory/1668-68-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1668-69-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1740-54-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download