General
-
Target
BotClient-win-x64.exe
-
Size
80.8MB
-
Sample
220924-w9yyksbge2
-
MD5
4137605ce658443571c3675003dbb118
-
SHA1
cdd748f6a069050c012ac7fa16477329adfbd95e
-
SHA256
bb8bbf8bf681396e89f3a519422927def07fcf79e9a3080710932d2385fb2107
-
SHA512
1809f1079820b361e0a32b7f46ad583c5cb4b72421b9a437619bdd852b81a41bc2bb06478e2b9692fd10dd9129f1a1e5fe3730aa6cf6bea7f8501a226b72ac49
-
SSDEEP
1572864:0MMMIbVMR3m+rtLi099hwpZVDO3Aax4eGh/1thIY8uH2bD/T+0IuE4kiYQevZwD3:0M/IKFprskIO3/x50/18uH2f6IkiYQeK
Static task
static1
Behavioral task
behavioral1
Sample
BotClient-win-x64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
BotClient-win-x64.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Programs\botclient\LICENSES.chromium.html
ooura@kurims.kyoto-u.ac.jp
<jserv@0xlab.org>
<tholo@sigmasoft.com>
<dm@uun.org>
<djm@openbsd.org>
<markus@openbsd.org>
<Todd.Miller@courtesan.com>
<wes@softweyr.com>
<mike@FreeBSD.org>
<kostik@iclub.nsu.ru>
<das@FreeBSD.ORG>
<otto@drijf.net>
<millert@openbsd.org>
<das@FreeBSD.org>
<ed@FreeBSD.org>
<theraven@FreeBSD.org>
<mpi@openbsd.org>
<ajacoutot@openbsd.org>
<deraadt@openbsd.org>
<beck@obtuse.com>
<provos@physnet.uni-hamburg.de>
victoria.zhislina@intel.com
openssl-core@openssl.org
eay@cryptsoft.com
tjh@cryptsoft.com
eay@cryptsoft.com)"
tjh@cryptsoft.com)"
john.boyer@abilitiessoft.com
<daniel@haxx.se>
<marijnh@gmail.com>
lionel.ulmer@free.fr
bbrox@bbrox.org
<rob@ti.com>
<mans@mansr.com>
<christophe.gisquet@gmail.com>
<skal@planet-d.net>
<astrange@ithinksw.com>
<pross@xvid.org>
<peter@elecard.net.ru>
<walken@zoy.org>
<lorenm@u.washington.edu>
<henrik@gramner.com>
<BugMaster@narod.ru>
<fiona@x264.com>
michaelni@gmx.at
bvasic@mips.com
darko@mips.com
djordje@mips.com
goran@mips.com
mvulin@mips.com
socovaj@mips.com
zoranl@mips.com
freetype@nongnu.org
freetype-devel@nongnu.org
breese@users.sourceforge.net
Gary.Pennington@uk.sun.com
<breese@users.sourceforge.net>
jloup@gzip.org
madler@alumni.caltech.edu
<breadbox@muppetlabs.com>
pommier@modartt.com
<clee@freedesktop.org>
<marineau@genie.uottawa.ca>
<Holger.Veit@gmd.de>
<bence.nagy@gmail.com>
bataak@gmail.com
rezende@ic.unicamp.br
jj@di.uminho.pt
c-tsai4@uiuc.edu
<provos@citi.umich.edu>
<dugsong@monkey.org>
<mike@datanerds.net>
<maxim.yegorushkin@gmail.com>
<saari@netscape.com>
<cls@lubutu.com>
<dev@frign.de>
<iano@quirkster.com>
<jamey@minilop.net>
<josh@freedesktop.org>
<doomster@knuut.de>
<libzip@nih.at>
"newlib@sourceware.org"
nicolas.roussel@inria.fr
hello@blakeembrey.com
<mjg@redhat.com>
https://www.apache.org/licenses/
https://www.apache.org/licenses/LICENSE-2.0
http://www.apache.org/licenses/
http://www.apache.org/licenses/LICENSE-2.0
http://code.google.com/p/y2038
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/getentropy.2
http://mozilla.org/MPL/2.0/
http://www.torchmobile.com/
https://cla.developers.google.com/clas
http://www.openssl.org/)"
https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS
http://www.opensource.apple.com/apsl/
https://github.com/typetools/jdk
https://github.com/typetools/stubparser
https://github.com/typetools/annotation-tools
https://github.com/plume-lib/
http://www.mozilla.org/MPL/
http://source.android.com/
http://source.android.com/compatibility
http://www.apple.com/legal/guidelinesfor3rdparties.html
https://github.com/easylist
https://easylist.to/)"
https://creativecommons.org/compatiblelicenses
https://creativecommons.org/
http://developer.intel.com/vtune/cbts/strmsimd/922down.htm
http://skal.planet-d.net/coding/dct.html
http://developer.intel.com/vtune/cbts/strmsimd/appnotes.htm
http://www.elecard.com/peter/idct.html
http://www.linuxvideo.org/mpeg2dec/
http://www.opensource.org/licenses/bsd-license.php
https://www.freetype.org
http://www.mozilla.org/MPL/2.0/
http://www.mozilla.org/MPL/2.0/FAQ.html
http://freetype.sourceforge.net/license.html
http://www.freetype.org
http://source.icu-project.org/repos/icu/icu/trunk/license.html
http://icu-project.org/userguide/icufaq.html
http://www.unicode.org/copyright.html
http://www.unicode.org/Public/
http://www.unicode.org/reports/
http://www.unicode.org/cldr/data/
http://jquery.com/
https://github.com/jquery/jquery/blob/master/MIT-LICENSE.txt
https://github.com/jquery/sizzle/blob/master/LICENSE
http://ctrio.sourceforge.net/
http://www.cisl.ucar.edu/css/software/fftpack5/ftpk.html
http://www.opensource.org/licenses/mit-license.php
http://www.tex-tipografia.com/spanish_hyphen.html
https://opensource.org/licenses/BSD-3-Clause
https://www.unicode.org/copyright.html
http://opensource.org/licenses/bsd-license.php
https://sourceforge.net/project/?group_id=1519
http://chasen.aist-nara.ac.jp/chasen/distribution.html
http://casper.beckman.uiuc.edu/~c-tsai4
https://github.com/rober42539/lao-dictionary
https://github.com/rober42539/lao-dictionary/laodict.txt
https://github.com/rober42539/lao-dictionary/LICENSE.txt
http://oss.sgi.com/projects/FreeB/
https://www.khronos.org/registry/
https://llvm.org/docs/DeveloperPolicy.html#legacy
http://llvm.org
http://www.unicode.org/Public/zipped/9.0.0/UCD.zip
https://github.com/chjj/
http://daringfireball.net/
http://modp.com/release/base64
http://sourceware.org/newlib/docs.html
http://sourceware.org/ml/newlib/
https://datatracker.ietf.org/ipr/1524/
https://datatracker.ietf.org/ipr/1914/
https://datatracker.ietf.org/ipr/1526/
http://code.google.com/p/lao-dictionary/
http://lao-dictionary.googlecode.com/git/Lao-Dictionary.txt
http://lao-dictionary.googlecode.com/git/Lao-Dictionary-LICENSE.txt
https://creativecommons.org/licenses/by/3.0/
https://sites.google.com/site/gaviotachessengine/Home/endgame-tablebases-1
http://www.ploscompbiol.org/static/license
http://www.gutenberg.org/ebooks/53
http://www.suitable.com
http://www.nongnu.org/freebangfont/downloads.html#mukti
https://dejavu-fonts.github.io/Download.html">homepage</a></span>
http://scripts.sil.org/OFL
https://code.google.com/p/sctp-refimpl/source/browse/trunk/COPYRIGHT
http://cgit.freedesktop.org/xorg/xserver/tree/COPYING
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/xz/COPYING
Targets
-
-
Target
BotClient-win-x64.exe
-
Size
80.8MB
-
MD5
4137605ce658443571c3675003dbb118
-
SHA1
cdd748f6a069050c012ac7fa16477329adfbd95e
-
SHA256
bb8bbf8bf681396e89f3a519422927def07fcf79e9a3080710932d2385fb2107
-
SHA512
1809f1079820b361e0a32b7f46ad583c5cb4b72421b9a437619bdd852b81a41bc2bb06478e2b9692fd10dd9129f1a1e5fe3730aa6cf6bea7f8501a226b72ac49
-
SSDEEP
1572864:0MMMIbVMR3m+rtLi099hwpZVDO3Aax4eGh/1thIY8uH2bD/T+0IuE4kiYQevZwD3:0M/IKFprskIO3/x50/18uH2f6IkiYQeK
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-