loaderbot | 3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-06-2022 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3.exe
Size

2.1MB
MD5

278397c0f6f7c7a08e4c4b05d62172ac
SHA1

af6b16d7611719cb56e6b77739a1b088dfb3e0e2
SHA256

3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3
SHA512

b5f474e4cc190d09e59445a5ff8cb15f67d29027010d061b94f1d3287edfc201e3aa4243c78c9372e457e939d5065aafe1394b97ac065d0c5e6615cffb7f1fd6
SSDEEP

49152:nXWwcGf1oYidX/6V2sIvWh22Wy2+lq7ef6bgzqNNnUexrW:XWzGttDyC3qgMNUeU

Score

10^/10

loaderbot xmrig loader miner persistence spyware stealer

Malware Config

Extracted

Family

loaderbot

http://hostss2.mcdir.ru/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 3 IoCs

resource	yara_rule
behavioral2/files/0x0003000000000721-137.dat	loaderbot
behavioral2/files/0x0003000000000721-138.dat	loaderbot
behavioral2/memory/4088-139-0x0000000000730000-0x0000000000AC2000-memory.dmp	loaderbot

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/2808-147-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral2/memory/2808-149-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

pid	Process
4732	fdfbvd.exe
4500	dvadv.exe
4088	rwgg.exe
2808	Driver.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	rwgg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	fdfbvd.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	rwgg.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\rwgg.exe"	rwgg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe
4088	rwgg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	rwgg.exe
Token: SeLockMemoryPrivilege	2808	Driver.exe
Token: SeLockMemoryPrivilege	2808	Driver.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4732	4248	3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3.exe	80
PID 4248 wrote to memory of 4732	4248	3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3.exe	80
PID 4248 wrote to memory of 4732	4248	3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3.exe	80
PID 4732 wrote to memory of 4500	4732	fdfbvd.exe	81
PID 4732 wrote to memory of 4500	4732	fdfbvd.exe	81
PID 4732 wrote to memory of 4500	4732	fdfbvd.exe	81
PID 4732 wrote to memory of 4088	4732	fdfbvd.exe	83
PID 4732 wrote to memory of 4088	4732	fdfbvd.exe	83
PID 4732 wrote to memory of 4088	4732	fdfbvd.exe	83
PID 4088 wrote to memory of 2808	4088	rwgg.exe	84
PID 4088 wrote to memory of 2808	4088	rwgg.exe	84

C:\Users\Admin\AppData\Local\Temp\3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3.exe
"C:\Users\Admin\AppData\Local\Temp\3366f49e175b09b95671d5330059d4908c9bf4ea33b065a82140f2d6fac3e7d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Roaming\fdfbvd.exe
  "C:\Users\Admin\AppData\Roaming\fdfbvd.exe" -s -ptdgndgmsratgg4hfsghsrfH
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Users\Admin\AppData\Roaming\dvadv.exe
    "C:\Users\Admin\AppData\Roaming\dvadv.exe"
    3⤵
    - Executes dropped EXE
    PID:4500
- - C:\Users\Admin\AppData\Roaming\rwgg.exe
    "C:\Users\Admin\AppData\Roaming\rwgg.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.5MB

MD5
cf36d20a96903fb4d0e92eb4fe873ab8

SHA1
c789a22bd215bfc2a698fda1295f295745f34d35

SHA256
d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2

SHA512
d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.5MB

MD5
cf36d20a96903fb4d0e92eb4fe873ab8

SHA1
c789a22bd215bfc2a698fda1295f295745f34d35

SHA256
d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2

SHA512
d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535

Download Submit
C:\Users\Admin\AppData\Roaming\dvadv.exe

Filesize
683KB

MD5
ec3af822ed261d9e25178241baa23a05

SHA1
804a38c857adba12a7a1aa91b2775e42aa233093

SHA256
bb26ba55307a182aba6dd4f26c58e3062f94b76d0c3421e7971dfe40b9aa3bf5

SHA512
5168a741965a1df71fafb2eeb3133a93a76c7b5c69df5b15087655e3198976bf3856b88c12e80a57148158d2ce4c33e46e94653b9beb676dc166228a32b53275

Download Submit
C:\Users\Admin\AppData\Roaming\dvadv.exe

Filesize
683KB

MD5
ec3af822ed261d9e25178241baa23a05

SHA1
804a38c857adba12a7a1aa91b2775e42aa233093

SHA256
bb26ba55307a182aba6dd4f26c58e3062f94b76d0c3421e7971dfe40b9aa3bf5

SHA512
5168a741965a1df71fafb2eeb3133a93a76c7b5c69df5b15087655e3198976bf3856b88c12e80a57148158d2ce4c33e46e94653b9beb676dc166228a32b53275

Download Submit
C:\Users\Admin\AppData\Roaming\fdfbvd.exe

Filesize
2.2MB

MD5
713d6524f6296b5553b4cc3a1a14d1a4

SHA1
38d97ec34ac85a4ee7c95277086c7193247183bc

SHA256
13f0e46f272ad48594f84bbafa3ac874bc4b3fc536cb7dfeb4933cc371eab66b

SHA512
39b3aa579d9b381e22784869e2c2b6024300e902766ea329c5b2f7fceb6e85f597b1461feb9a5790fb5389fc58d37202ac40427ef24f94735d6dd18afe5d2c15

Download Submit
C:\Users\Admin\AppData\Roaming\fdfbvd.exe

Filesize
2.2MB

MD5
713d6524f6296b5553b4cc3a1a14d1a4

SHA1
38d97ec34ac85a4ee7c95277086c7193247183bc

SHA256
13f0e46f272ad48594f84bbafa3ac874bc4b3fc536cb7dfeb4933cc371eab66b

SHA512
39b3aa579d9b381e22784869e2c2b6024300e902766ea329c5b2f7fceb6e85f597b1461feb9a5790fb5389fc58d37202ac40427ef24f94735d6dd18afe5d2c15

Download Submit
C:\Users\Admin\AppData\Roaming\rwgg.exe

Filesize
3.6MB

MD5
6c6d292ce85efd86fb8afd12f817194f

SHA1
1c3ee06d8a9816ac4483a95e7ddea6de0d3fc60a

SHA256
aa3b34e3d5b0303e6bd4c51fbda4588eca08e9c7173c4201eba0b52188a3175c

SHA512
81717a1abe785faef74d9f9e03c16448ec5009f62e58a375ec403948f0decf8827754d4b144ce797d27b65c43fe652f0ad114de427db7650bdcae78ab6a596b5

Download Submit
C:\Users\Admin\AppData\Roaming\rwgg.exe

Filesize
3.6MB

MD5
6c6d292ce85efd86fb8afd12f817194f

SHA1
1c3ee06d8a9816ac4483a95e7ddea6de0d3fc60a

SHA256
aa3b34e3d5b0303e6bd4c51fbda4588eca08e9c7173c4201eba0b52188a3175c

SHA512
81717a1abe785faef74d9f9e03c16448ec5009f62e58a375ec403948f0decf8827754d4b144ce797d27b65c43fe652f0ad114de427db7650bdcae78ab6a596b5

Download Submit
memory/2808-146-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2808-147-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/2808-148-0x0000000000000000-0x0000000000200000-memory.dmp

Filesize
2.0MB

Download
memory/2808-149-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/2808-150-0x0000000000000000-0x0000000000200000-memory.dmp

Filesize
2.0MB

Download
memory/4088-139-0x0000000000730000-0x0000000000AC2000-memory.dmp

Filesize
3.6MB

Download
memory/4088-142-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/4500-140-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4500-141-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download