zloader | df1005f62c74e1f8272eae5073eb0dbffa5fefcb39ce1c78a40ca33b3b888c0d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00272dd639402fa76db43207d074fe52d4849e5d46008f786b944a789b09afc2.dll
Size

246KB
MD5

061057161259e3df7d12dccb363e56f9
SHA1

1292e9b2ee9d566fe5b475835cc39dafbbb658ba
SHA256

00272dd639402fa76db43207d074fe52d4849e5d46008f786b944a789b09afc2
SHA512

b623b5f1142c560b9f9bc3689a2b53a3acacc93d443a1c2590433d6dc2975e2959243f1b5744720983fbbaa166f25b563b988025f7c4e3e6bf9ff6b720ba11c9
SSDEEP

6144:K/WlwYMhq0n6qsXUl8KdsbiLeb5Jx5cf:KfVJzsXUl81biCbnc

Score

10^/10

zloader main 2020-07-02 botnet discovery trojan

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

2020-07-02

https://fopiese.com/web/data

https://dinctov.com/web/data

https://ennaser.com/web/data

https://hyatart.com/web/data

https://bladilk.com/web/data

https://giridly.com/web/data

https://pleclep.com/web/data

https://phanleb.com/web/data

Attributes

build_id
21

rc4.plain

rsa_pubkey.plain

Signatures

Zloader family
zloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Program crash 1 IoCs

pid	pid_target	Process
2652	3036	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3036	3040	regsvr32.exe	30
PID 3040 wrote to memory of 3036	3040	regsvr32.exe	30
PID 3040 wrote to memory of 3036	3040	regsvr32.exe	30
PID 3040 wrote to memory of 3036	3040	regsvr32.exe	30
PID 3040 wrote to memory of 3036	3040	regsvr32.exe	30
PID 3040 wrote to memory of 3036	3040	regsvr32.exe	30
PID 3040 wrote to memory of 3036	3040	regsvr32.exe	30
PID 3036 wrote to memory of 2652	3036	regsvr32.exe	31
PID 3036 wrote to memory of 2652	3036	regsvr32.exe	31
PID 3036 wrote to memory of 2652	3036	regsvr32.exe	31
PID 3036 wrote to memory of 2652	3036	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\00272dd639402fa76db43207d074fe52d4849e5d46008f786b944a789b09afc2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\00272dd639402fa76db43207d074fe52d4849e5d46008f786b944a789b09afc2.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 540
    3⤵
    - Program crash
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-1-0x00000000001B1000-0x00000000001B7000-memory.dmp

Filesize
24KB

Download
memory/3036-0-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/3036-2-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download