zloader | 9dae20bd687c2e790c928eb9b4989a213b9f23a23211e0a0383e531c04f80e5b

Analysis

max time kernel
89s
max time network
18s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ef434c30c2839f2fd57ba23899c2467.dll
Size

323KB
MD5

8ef434c30c2839f2fd57ba23899c2467
SHA1

949164ad8e01020b4787ec5a560c5be44fd3e8fd
SHA256

9dae20bd687c2e790c928eb9b4989a213b9f23a23211e0a0383e531c04f80e5b
SHA512

64f19ce9e02dcf965565c882f8de28255f68d4989168650b383707609886ccb7b375f654ce325468189d0c9971c3da69d9d19f91a66f473f9bc909e879d98e5b
SSDEEP

6144:p0L/qmFspQg3JQaG9Py6c1K8poXsMsBcBezEXLcrXVO5M0S:KeQg5QaGBy6cA8isMsBOezEb2CM0S

Score

10^/10

zloader ivan ivan botnet trojan

Malware Config

Extracted

Family

zloader

Botnet

ivan

Campaign

ivan

https://iqowijsdakm.com/gate.php

https://wiewjdmkfjn.com/gate.php

https://dksaoidiakjd.com/gate.php

https://iweuiqjdakjd.com/gate.php

https://yuidskadjna.com/gate.php

https://olksmadnbdj.com/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

Attributes

build_id
157

rc4.plain

rsa_pubkey.plain

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1352 wrote to memory of 2124	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 2124	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 2124	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 2124	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 2124	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 2124	1352	regsvr32.exe	regsvr32.exe
PID 1352 wrote to memory of 2124	1352	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8ef434c30c2839f2fd57ba23899c2467.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\8ef434c30c2839f2fd57ba23899c2467.dll
2⤵
PID:2124

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
92381b1f84d6bcbab6d38a32282930f3

SHA1
852c1e60ce24b180c12dfe827fc5ece6e79d449e

SHA256
f98af5ba1cc1fd1b7ed94b9fa3fbe8a51509a10525e7e7105d782238e3e91ac2

SHA512
7ce15e78b0e70cac9df6566791493197e97e7f5155e29ce91e994ec86d80d1341eee83db24e555555525d7d507317dbc629f09912deed0c2ee5dd1e0c1a3a1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
1a355c34fd374d7198ce7aede7026460

SHA1
2251142ebdcd99890424c932de502d094925ad98

SHA256
2b1e4d97004d6cee831f2b6a006a4476db714f46953716fa654cc532add9951e

SHA512
2c6e69e7907dc955a5b4cba25a4774a022dd762c4bba6c4402b585d834476a82bee348975762ba02d033adddd6e38a8290146e0cc21cdc311173ae23260b34ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
c9202254d340427c8f2aeccee7d231d6

SHA1
9f927d26152e4845a25de739e10ef1128c1ca383

SHA256
b3e07de731eba36852638e1fabaaa49cbeafa0467d78229b3ea2e42592dacd42

SHA512
44bc90e54d514a4914978246fd61ca6b08bab053ef61063aba797abb5e2c6289645621abe43bb62997ef88d364743275da1108d2736b7cba0429ff4d574d911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
0df971cfaecd64c1913680f721acdec7

SHA1
a6912aa2acd62703a68b430a0af250ef730ed624

SHA256
3cf102b28eafeb306c1d5b268af734e3b3f9230a67c0d3b31437b4c66dd47e84

SHA512
f89bdb6120230b3f3caa0b5e45e7582f79ad6ecb8a00c1602faf5cbfbed49fc52f7cc3f3a9905ed6f57bca7903aeddb2e0ae671242a58e0792b3a6f658751249

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
d9e1579e25c00608f45eedcb80011fcc

SHA1
0b6be975f6f0d7a23d17882a25d6108643f23981

SHA256
baa5f14c7e9337e7a92531abb46b965f52c84f4a8bc279729d4009b5cff0f7bf

SHA512
166f56eefefd63da030f08b598f24030b9b9ad026333d9d4fa887eb200a77b3cb1e63e9e6b6e670b41082f7091697bda73941c9a413312b296e971d9f88f43bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
956e14e346041c95e1a9b01c5e19bf1b

SHA1
89b81b53762e17cb2ddffa387ac792aa05ee1a09

SHA256
cf133c37bd1ce40932e9dcd763aaf2579e384563db2dd1dbb9131ee8ad2413eb

SHA512
b26b6d2b5915a9a4f87641b3ef307e0083f838a4d908d17f742529e5f931ae05166882d7acbb4221a9b255bf3485597eeb14639b11d52358f2f1be391e47f12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
5d0a1532f5e8faa5b478743b87078219

SHA1
a68717f58b3ab5c1f4d32191c5a12b3d00519c35

SHA256
12344b6b0eb064c7867de552988d8bfbdcffd7e1b62f7e11994fac5f05b87fbd

SHA512
ba5ebccbb2ff9773b9ae9accaeb57f1c65d8dc539953109e41111cc73a57b54e8e83f3135242ac360b4ba0d6bb8d27fb04a897e16a658d5aeffbc60095ae80de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
010f56e4adaffc2676199bce99f7d16e

SHA1
f7351392f2a577499ef66fd56a6ba19d980beb8f

SHA256
a6defa5757ca2f413996549da59c1153196309b5ec992b167f675176effdf8de

SHA512
269186079ecde444cd309caabac755806ead7f14ebd2cec2a961f3f57defdac7c0fa59d478583f2b17f91b7356249d17e893e942343749d0160a68b228a1bec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
1a5533b00fc1f8283fa6afd1e3cfd07c

SHA1
ff36f9c7bb6144cc0c590447336af6122b52afcf

SHA256
72166b7f3410eb776015cf06d82c3efbcedfc4925f7f46b22ed981a5026592bd

SHA512
efb9302a1ad6c959ffd5620cc0dff29633d653acebec77210a682edf219c2ea127d83d76bf3e9df315807aa098de30940a6f67d178d8d5b5ca68d95bc7868183

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
d8671db2e4f8251016a9e585dbca1a35

SHA1
84942d5e75ae9188f27a40787dfb0fb8e75d5d9c

SHA256
a30ec2a2201a963441f1cd972c1b05b79ae92757c71d9de3e30e928768b6d492

SHA512
3b286f5311c557c31ec51242cab092ca31f755209d16bd19540f4939281915c7b77d55cb8b1387d05219ae4a453ce1f934dd69a9583931f2f52c4d92a1662011

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
e36d0c5d0d353aa151705c6d295c6de0

SHA1
84e0d221bbe5d57871d5ad744c96856e23f87457

SHA256
5fe954c03dacf806508e6fa994f298ff4d380dc9fd0016f9484d9e3dc58a29a8

SHA512
77d4f33af48f1a2017398329792c382f39dcade26b65b3da704b6016a63eb100f9ae2969b2acab1d128122601e814dadc4dee4149b731aa232129167062e6e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
281f148f81bef476e7094d0ce828256f

SHA1
4742ef3c57ea56af02dfa796de75af57d22e9e92

SHA256
3bff43d5bf74d297a0f4ca622d96368c0a745c15110a3fb885a0448e0c9973b6

SHA512
fcb11625c0d7c4b82b9df42023bdbf6a0dfa6542f3b9b99f4e517cf073b3c7b75bc3f759575da35231c3381a50958eaaf9fcf3f339f84a979d4bb814193db4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
5500c473490c2ccf4cee87e82c39b75a

SHA1
7b9a3061bb3e5c7d2116f223d5b0aa573500aba5

SHA256
8ae967d3c0cd0199d5e760a4b45c6ae6ff6b4de2970b4dd0f66ba3f5fab48cbd

SHA512
26c0081d24fada477ac374b613eca0d308f56500e05d3b91ddca59e3c18ef6d50160d0b6c5873c6d150bda0512524f1a0f18ca2bd73b42c1a7c6f8b7102d6050

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
8f83c1d5787c25321fe739016bbce5c9

SHA1
eabe08353b35457ba71cb5d36061ea766b66a5db

SHA256
da78b63bff87c153fa97be9b90b0a50a48406626002a011a3c776d4d294c8aff

SHA512
adf62a9516b73a4f1684edf1fd1a56c2f47f28ce28c13cfafffee1802171aa157a6d8bd0f45f0905f836128ad51429c36455e8ccb6c40c8b36070aac235fc4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
d23e541eaa31b3436ef6a60163441336

SHA1
a071d52deeb9b5bb210ae2c5a8c5d1eaa1539948

SHA256
9f72a147818f513b5d480673d733b5e837948124a35cd86be02d23276ab1f743

SHA512
1a92f7d448221a26b38359b1d4a9e529a5cbd538b1243435418f6acb33566d5c29d70657af8a46181a159d2f93530a93d0f825c4a390b121f8b28e5da2a5a695

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
15c06b2fffc00e644df07d38249d8cb9

SHA1
8808b737f76246c54e6699d29edddeeb128bc981

SHA256
747c74f70653bc6360d1caa19fe7df8e750ae2463b396bffea68eb187966bc51

SHA512
461b645b577a58666a10386b0466500c1976f71b4430dc9ac1bc9b66feae34f39de8a9ec0ef6578355b64f85e9e18a295c4b63fb003e33826ef9dcf6a676eda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
69d2dc3d8a23efd0845b6aed5e05a843

SHA1
bf20721ee980a8b7b6986982ffd6be0d54738828

SHA256
637b248e164a47d1a39b9295640e0c7cca662fa21d6d66d04d4a4e90670b09d1

SHA512
ef68596627fef35a271910605caee2c75eeb2383ce10b0a6f6e544785a830cf09d45451f32b501abd220caa15c9b34c2bb6c11da7c1ad73bdb1b8c8a7a404bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
2a19696a236db0c3281972b3c324135c

SHA1
3887b1958102314e18c4c02b5bfb32e0ed540493

SHA256
b09057388fd520865b1502fe59c5ff20d51ca5b0a5b5e6bd862dc6a315a9b012

SHA512
51bbb97fa40472c0b7128a841cb133b60b8ec1c256390c864d10eaea1c17c3429b9eb89d18adcf951e5f90bfc2690bd4a8f46801e9931ef7692aa48c24698660

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
64c4cea333ad1e5e5d19d3154f944995

SHA1
32f6d184c12d1a2bcf4f37bd5aacb8183575998f

SHA256
e6e381a6e5b2731580d144a5eeb25cb82ed10e8dc06785cee191ab0693118e7f

SHA512
9c7ed841bb0081999072538eee7ea6f292217af332f7908920fe3998052c5afc9d66a4cef35709e307a905ebf881084b7c81c1ccd18124eadaad8cb71fc056ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.txt
Filesize
4B

MD5
94b2eca6c560e145c4dfb3a7b68eb3b8

SHA1
c10935b870cdc1e23f799685879376929b301dc6

SHA256
0c7295d9931ef53a900d7349f40aa5483b5ddf8d20e37521ea4efd0b9cd1e030

SHA512
4df9e2f4a5e14870a394d6d76b904f31c3fcc1eedb52aace53d7594c2d3af4d5f263f8c9fa17fe8d35497540c27213ab5bb829e2a0bc59f0a9ab8cbd1cebe6d9

Download Submit
memory/2124-309-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/2124-38341-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download