loaderbot | 1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7

General

Target

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
Size

16KB
MD5

b62ad5096a4d3d518728bd35daf2eaf0
SHA1

4f8fceb017f26cecdc109563b41f8118c64db7dd
SHA256

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7
SHA512

e4eaa6726d6f34364e206d991a6e7c730e4301c6e1de2d58523ca5819f598a92c64f39fa54b2a0afd6684288c640356722a412433ad912ae944a1002f732bec5
SSDEEP

384:yKBvkPHxH19GTXjdh5luujYcV6AUwJFZb:yYeRV9AhzfYcV6Dw9b

Score

10^/10

loaderbot loader miner persistence

Malware Config

Extracted

Family

loaderbot

C2

http://user79913.7ci.ru/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/3648-130-0x0000000000AC0000-0x0000000000ACA000-memory.dmp	loaderbot

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe"	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe"	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2424	schtasks.exe
4480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
Token: SeDebugPrivilege	4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 3376	3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	77
PID 3648 wrote to memory of 3376	3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	77
PID 3648 wrote to memory of 3376	3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	77
PID 3376 wrote to memory of 2424	3376	cmd.exe	79
PID 3376 wrote to memory of 2424	3376	cmd.exe	79
PID 3376 wrote to memory of 2424	3376	cmd.exe	79
PID 4428 wrote to memory of 1944	4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	86
PID 4428 wrote to memory of 1944	4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	86
PID 4428 wrote to memory of 1944	4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	86
PID 1944 wrote to memory of 4480	1944	cmd.exe	88
PID 1944 wrote to memory of 4480	1944	cmd.exe	88
PID 1944 wrote to memory of 4480	1944	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
"C:\Users\Admin\AppData\Local\Temp\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:2424

C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3648-130-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/3648-133-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads