loaderbot

General

Target

ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c
Size

369KB
Sample

220105-r4ycmsadg6
MD5

4474e6fdd0c681c2b133e850626a4cbf
SHA1

943216049e46b9725e33d9268c0f733b1a6c9f9b
SHA256

ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c
SHA512

6a4f7204d53c13091cbc2eedecc48688047b360fd00686a403f51032120544a51a5494d5541f450d5c9e392b6f0419ce27676fb4f9fb13d3b1aaae752214e51a

Score

10^/10

Malware Config

Targets

- Target
  
  ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c
- Size
  
  369KB
- MD5
  
  4474e6fdd0c681c2b133e850626a4cbf
- SHA1
  
  943216049e46b9725e33d9268c0f733b1a6c9f9b
- SHA256
  
  ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c
- SHA512
  
  6a4f7204d53c13091cbc2eedecc48688047b360fd00686a403f51032120544a51a5494d5541f450d5c9e392b6f0419ce27676fb4f9fb13d3b1aaae752214e51a
Score

10^/10

loaderbot evasion loader miner persistence spyware trojan upx vmprotect
- LoaderBot
  LoaderBot is a loader written in .NET downloading and executing miners.
  loader miner loaderbot
- Suspicious use of NtCreateProcessExOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- LoaderBot executable
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1