General
-
Target
3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3
-
Size
2.1MB
-
Sample
220620-cz473abfdm
-
MD5
278397c0f6f7c7a08e4c4b05d62172ac
-
SHA1
af6b16d7611719cb56e6b77739a1b088dfb3e0e2
-
SHA256
3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3
-
SHA512
b5f474e4cc190d09e59445a5ff8cb15f67d29027010d061b94f1d3287edfc201e3aa4243c78c9372e457e939d5065aafe1394b97ac065d0c5e6615cffb7f1fd6
-
SSDEEP
49152:nXWwcGf1oYidX/6V2sIvWh22Wy2+lq7ef6bgzqNNnUexrW:XWzGttDyC3qgMNUeU
Malware Config
Extracted
loaderbot
http://hostss2.mcdir.ru/cmd.php
Targets
-
-
Target
3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3
-
Size
2.1MB
-
MD5
278397c0f6f7c7a08e4c4b05d62172ac
-
SHA1
af6b16d7611719cb56e6b77739a1b088dfb3e0e2
-
SHA256
3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3
-
SHA512
b5f474e4cc190d09e59445a5ff8cb15f67d29027010d061b94f1d3287edfc201e3aa4243c78c9372e457e939d5065aafe1394b97ac065d0c5e6615cffb7f1fd6
-
SSDEEP
49152:nXWwcGf1oYidX/6V2sIvWh22Wy2+lq7ef6bgzqNNnUexrW:XWzGttDyC3qgMNUeU
Score10/10-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
LoaderBot executable
-
XMRig Miner payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Drops startup file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-