loaderbot | ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e

General

Target

ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe
Size

4.7MB
MD5

80e7f3b3141de3958293e950eb893c20
SHA1

a505d8e3e03030c163cb1287e02be2b7e46933aa
SHA256

ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e
SHA512

bf2d5e31306830ae86eda1b1a99b655896e039893018d97af639342e247562f63675ce602c971fb796326eaaddd768e1fa95a028e01d60439b28bf2153a735ad

Score

10^/10

loaderbot loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral1/memory/1860-54-0x0000000000D20000-0x00000000011D0000-memory.dmp	loaderbot

Executes dropped EXE 1 IoCs

pid	Process
1768	Driver.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe

Loads dropped DLL 1 IoCs

pid	Process
1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe"	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe
1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe
1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe
1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe
1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe
Token: SeLockMemoryPrivilege	1768	Driver.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1768	1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe	30
PID 1860 wrote to memory of 1768	1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe	30
PID 1860 wrote to memory of 1768	1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe	30
PID 1860 wrote to memory of 1768	1860	ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe	30

C:\Users\Admin\AppData\Local\Temp\ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe
"C:\Users\Admin\AppData\Local\Temp\ae250ad99101e7ab0de7cc7b6f163571f4774a6c7e1c89eaa5f23321728d6f7e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o 194.87.238.198:77 -u -p x -k -v=0 --donate-level=1 -t 1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
11KB

MD5
e212da165986f3024ad197f22298d285

SHA1
ae6d5abaa436ef291c79e92636bd838e377fb6ab

SHA256
eb65f40e5f5a170d4d71d3d7d3902ca1394be998aca727c3132ff04e55f74875

SHA512
44bd50b05ccf4c1f6299d33e8ee090b692e0ad9121f1c368479d758b60049d1b724026cab67f16701609c8eec40d47aa901dcb805ae9e5f10914cc5229654d2e

Download Submit
\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
553B

MD5
8585faae8353895ee48423830d1aa9f2

SHA1
58927406c57de198a2371d30b00c91ef6c7e4c55

SHA256
b23ef1dd200e970050306660027e2536445bef9294e2774ced0f998e5a9fde35

SHA512
50bf4b5b7e467a988522c93610c7c465e822ef5246447d03d0c75fe2ce420360ed750ae52e236c6c39a5d2e695018fee18ea1c5988f69f2994149c3f04b19b0b

Download Submit
memory/1768-59-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1860-54-0x0000000000D20000-0x00000000011D0000-memory.dmp

Filesize
4.7MB

Download
memory/1860-55-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing