loaderbot | f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10_x64

Sharing

General

Target

f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc
Size

346KB
Sample

220113-19tfbacha2
MD5

df7952a5fc82dfb2e49ae81b6a1be135
SHA1

4f3a8cd939fbe37426efda7c88fbd2e49d8f8986
SHA256

f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc
SHA512

96a495e5d30e66a236c0aea19daedf95b31f254e457647b6553f2d6cae117f0a6da2468550333fbae3ffa94d0960e2459d2259d3b4c2598efe49fc03e6c36f1a

Score

10^/10

loaderbot raccoon agilenet loader miner persistence stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc.exe

Resource

win10-en-20211208

loaderbot raccoon agilenet loader miner persistence stealer upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

raccoon

Version

1.8.4-hotfixs

rc4.plain

Targets

- Target
  
  f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc
- Size
  
  346KB
- MD5
  
  df7952a5fc82dfb2e49ae81b6a1be135
- SHA1
  
  4f3a8cd939fbe37426efda7c88fbd2e49d8f8986
- SHA256
  
  f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc
- SHA512
  
  96a495e5d30e66a236c0aea19daedf95b31f254e457647b6553f2d6cae117f0a6da2468550333fbae3ffa94d0960e2459d2259d3b4c2598efe49fc03e6c36f1a
Score

10^/10

loaderbot raccoon agilenet loader miner persistence stealer upx
- LoaderBot
  LoaderBot is a loader written in .NET downloading and executing miners.
  loader miner loaderbot
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Suspicious use of NtCreateProcessExOtherParentProcess
- LoaderBot executable
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

loaderbotraccoonagilenetloaderminerpersistencestealerupx

© 2018-2024

Terms | Privacy