Extracted

• • Target

    965fc8f88c6d882fa84b71bc8fccc686d1ce3ffe04e8b23b00547d3b312d6a53

  • Size

    349KB

  • MD5

    6b2c9ed8c027162803183a52440bd614

  • SHA1

    f2040ead4afed6bca3e82ba771cf541bc459f1b9

  • SHA256

    965fc8f88c6d882fa84b71bc8fccc686d1ce3ffe04e8b23b00547d3b312d6a53

  • SHA512

    9e7477ebf5648d389e9a583c5bd88fcfc35fa0e5beb4612ce2dd842c7605fd48ec044d80bdc27b5cd6d63b5f4654ce5253579758173e0a37faaa558b72b736ff

  Score

  10^/10

  loaderbotraccoonagilenetloaderminerpersistencestealerupx

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • LoaderBot executable

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Drops startup file

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1