Malware Analysis Report

2024-10-18 23:17

Sample ID 220801-txem3achf7
Target 5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba
SHA256 5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba
Tags
loaderbot loader miner persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba

Threat Level: Known bad

The file 5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba was found to be: Known bad.

Malicious Activity Summary

loaderbot loader miner persistence

LoaderBot

LoaderBot executable

Loaderbot family

LoaderBot executable

Drops startup file

Adds Run key to start application

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-01 16:25

Signatures

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A

Loaderbot family

loaderbot

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-01 16:25

Reported

2022-08-01 16:35

Platform

win10v2004-20220721-en

Max time kernel

153s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe"

Signatures

LoaderBot

loader miner loaderbot

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe" C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe" C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4712 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4712 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4556 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4568 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4568 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe

"C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f

C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe

C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 13.107.22.200:443 tcp
US 93.184.221.240:80 tcp
NL 13.69.116.104:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

memory/5104-130-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

memory/4712-131-0x0000000000000000-mapping.dmp

memory/888-132-0x0000000000000000-mapping.dmp

memory/5104-133-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/4568-134-0x0000000000000000-mapping.dmp

memory/3272-135-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-01 16:25

Reported

2022-08-01 16:36

Platform

win7-20220718-en

Max time kernel

171s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe"

Signatures

LoaderBot

loader miner loaderbot

LoaderBot executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe" C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe" C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1780 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1780 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1780 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1520 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe
PID 1520 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe
PID 1520 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe
PID 1520 wrote to memory of 1536 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe
PID 1536 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe

"C:\Users\Admin\AppData\Local\Temp\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f

C:\Windows\system32\taskeng.exe

taskeng.exe {1842259C-14F5-4BB1-890B-C1952EFA4672} S-1-5-21-3762437355-3468409815-1164039494-1000:TZEOUYSL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe

C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\5bdda6d0d85e1bb3920921744791845de2394f37e04fda94cde2f05e282052ba.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/1988-54-0x0000000000A10000-0x0000000000A1A000-memory.dmp

memory/1780-55-0x0000000000000000-mapping.dmp

memory/1988-56-0x0000000076091000-0x0000000076093000-memory.dmp

memory/1412-57-0x0000000000000000-mapping.dmp

memory/1536-58-0x0000000000000000-mapping.dmp

memory/1052-59-0x0000000000000000-mapping.dmp

memory/1028-61-0x0000000000000000-mapping.dmp