loaderbot | fd76e8e1f0c3261b50f20fa921b782df82544255d34bc9e21f0bb8beaf31bc12

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
09/04/2022, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

11.1MB
MD5

a1188df640d34bda4872725259e7745e
SHA1

4a87bacdf63c6dc8dbef467bc735d3165b9051fe
SHA256

fd76e8e1f0c3261b50f20fa921b782df82544255d34bc9e21f0bb8beaf31bc12
SHA512

353ef676f8743249b9b2923ac9d9f31e6fb6173b9f2c2487e4215bc68c085582998d3c36d736f3b4575799e097f4fc8fc568ac1399bcd49e62fd2ebf1d753f22

Score

10^/10

loaderbot loader miner persistence spyware stealer

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 3 IoCs

resource	yara_rule
behavioral2/files/0x0003000000000729-133.dat	loaderbot
behavioral2/files/0x0003000000000729-135.dat	loaderbot
behavioral2/memory/2448-138-0x00000000004C0000-0x00000000008BE000-memory.dmp	loaderbot

Executes dropped EXE 5 IoCs

pid	Process
2448	as.exe
2684	gt.exe
4088	gt.exe
2428	Driver.exe
1964	Driver.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	as.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	as.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\as.exe"	as.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	checkip.dyndns.org
14	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 4088	2684	gt.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2232	2428	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4088	gt.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe
2448	as.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	as.exe
Token: SeDebugPrivilege	2684	gt.exe
Token: SeDebugPrivilege	4088	gt.exe
Token: SeLockMemoryPrivilege	1964	Driver.exe
Token: SeLockMemoryPrivilege	1964	Driver.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2448	1824	tmp.exe	80
PID 1824 wrote to memory of 2448	1824	tmp.exe	80
PID 1824 wrote to memory of 2448	1824	tmp.exe	80
PID 1824 wrote to memory of 2684	1824	tmp.exe	81
PID 1824 wrote to memory of 2684	1824	tmp.exe	81
PID 1824 wrote to memory of 2684	1824	tmp.exe	81
PID 2684 wrote to memory of 4088	2684	gt.exe	82
PID 2684 wrote to memory of 4088	2684	gt.exe	82
PID 2684 wrote to memory of 4088	2684	gt.exe	82
PID 2684 wrote to memory of 4088	2684	gt.exe	82
PID 2684 wrote to memory of 4088	2684	gt.exe	82
PID 2684 wrote to memory of 4088	2684	gt.exe	82
PID 2684 wrote to memory of 4088	2684	gt.exe	82
PID 2684 wrote to memory of 4088	2684	gt.exe	82
PID 2448 wrote to memory of 2428	2448	as.exe	88
PID 2448 wrote to memory of 2428	2448	as.exe	88
PID 2448 wrote to memory of 1964	2448	as.exe	94
PID 2448 wrote to memory of 1964	2448	as.exe	94

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\as.exe
  "C:\Users\Admin\AppData\Local\Temp\as.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48ax6vE2SYvUs59pV9CYJs4bYdwXvxbjU65nvtqwzdboiDadwbF9yqwX8oEybKU9X44fkfVqpKBdpQnTaXpmhprCDZx5H1W -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:2428
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2428 -s 364
      4⤵
      Program crash
      PID:2232
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 48ax6vE2SYvUs59pV9CYJs4bYdwXvxbjU65nvtqwzdboiDadwbF9yqwX8oEybKU9X44fkfVqpKBdpQnTaXpmhprCDZx5H1W -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- C:\Users\Admin\AppData\Local\Temp\gt.exe
  "C:\Users\Admin\AppData\Local\Temp\gt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\gt.exe
    "C:\Users\Admin\AppData\Local\Temp\gt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4088

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2428 -ip 2428
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gt.exe.log

Filesize
617B

MD5
806dff23883c0aa6dcb04133b1380075

SHA1
ab9c711b18ac9edbd41966b3495f837746dbc146

SHA256
b58a668ac53e656011a581a7c1ce3d763b8120487f3017a5881298a588a34e17

SHA512
42ff1897d652e4bf0467e402a9386501810db93d1e18824bb61ec231d50ae9dabed04043cd60996cd508fd3e495825bb02acb5d7619e20773f9bdc5c453017b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\as.exe

Filesize
4.0MB

MD5
25ba543a5de3d8ff24bb1e9440edb291

SHA1
e63c43041bbc083737c54cb5fe19ae485a10da7c

SHA256
c897412685fc749cbee70ae76176a100ce988b9cd46685d998daf88b96a02e9d

SHA512
545b35c9acd9169242cf5c515461e7a8629fde7d94a91d4602922f1f9e0693adbfef900dafb9cd0f6859c06a5bf7dd56a4d2c1fb86a4b16a65066a932c56f11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\as.exe

Filesize
4.0MB

MD5
25ba543a5de3d8ff24bb1e9440edb291

SHA1
e63c43041bbc083737c54cb5fe19ae485a10da7c

SHA256
c897412685fc749cbee70ae76176a100ce988b9cd46685d998daf88b96a02e9d

SHA512
545b35c9acd9169242cf5c515461e7a8629fde7d94a91d4602922f1f9e0693adbfef900dafb9cd0f6859c06a5bf7dd56a4d2c1fb86a4b16a65066a932c56f11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gt.exe

Filesize
3.4MB

MD5
912863f5fd0aeb2527ca5aae0b671ed3

SHA1
97f1229dffb43b253cbc7a8e82c58f39f1e11e42

SHA256
cf1fe0eadc268d2ee8ff4d23752d957f914c56d825101be6c2f497a049e12636

SHA512
6eeae31b231bef9ff904b3e6b7983fa6a1ac3441e286ca4cdcc5e7fe8927a248f2ec92cf0c4a5597ba286687565983d055d8601a3ae50cad4a518060425c9ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gt.exe

Filesize
3.4MB

MD5
912863f5fd0aeb2527ca5aae0b671ed3

SHA1
97f1229dffb43b253cbc7a8e82c58f39f1e11e42

SHA256
cf1fe0eadc268d2ee8ff4d23752d957f914c56d825101be6c2f497a049e12636

SHA512
6eeae31b231bef9ff904b3e6b7983fa6a1ac3441e286ca4cdcc5e7fe8927a248f2ec92cf0c4a5597ba286687565983d055d8601a3ae50cad4a518060425c9ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gt.exe

Filesize
3.4MB

MD5
912863f5fd0aeb2527ca5aae0b671ed3

SHA1
97f1229dffb43b253cbc7a8e82c58f39f1e11e42

SHA256
cf1fe0eadc268d2ee8ff4d23752d957f914c56d825101be6c2f497a049e12636

SHA512
6eeae31b231bef9ff904b3e6b7983fa6a1ac3441e286ca4cdcc5e7fe8927a248f2ec92cf0c4a5597ba286687565983d055d8601a3ae50cad4a518060425c9ddb

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/1824-131-0x00007FFF38300000-0x00007FFF38DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1824-130-0x0000000000480000-0x0000000000FA8000-memory.dmp

Filesize
11.2MB

Download
memory/1964-157-0x0000000012DF0000-0x0000000012E10000-memory.dmp

Filesize
128KB

Download
memory/1964-156-0x00000000128B0000-0x00000000128D0000-memory.dmp

Filesize
128KB

Download
memory/2428-152-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/2448-138-0x00000000004C0000-0x00000000008BE000-memory.dmp

Filesize
4.0MB

Download
memory/2684-140-0x0000000009F70000-0x000000000A514000-memory.dmp

Filesize
5.6MB

Download
memory/2684-141-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/2684-139-0x0000000000870000-0x0000000000BE8000-memory.dmp

Filesize
3.5MB

Download
memory/4088-143-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4088-148-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/4088-147-0x0000000005DE0000-0x0000000005E30000-memory.dmp

Filesize
320KB

Download
memory/4088-146-0x00000000060B0000-0x0000000006142000-memory.dmp

Filesize
584KB

Download