Extracted

• • Target

    24.exe

  • Size

    7.0MB

  • MD5

    ae6510d9815c44a818f722ecae6844b8

  • SHA1

    2a34b5110f5c3c2424ae9685f57261e2546bd963

  • SHA256

    c3cad582268b165711e2f2b1834891c7bcb5e57a7efb1e709e3df19d011ad656

  • SHA512

    8caa9e661403d5d86f69e7c35e45cdf927ef9ec0c6045ed2ca5af2eaaf26b4f99291eadaf2f0c8c00a31b05b228c6df0c4bd205a7b3ec70e263313a08ffef4f8

  Score

  10^/10

  loaderbotraccoonloaderminerpersistencestealer

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • LoaderBot executable

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2