General
-
Target
310ad4f57eff4a82c55e34a2723dd283.bin
-
Size
6.5MB
-
Sample
230302-bhrd7sae3z
-
MD5
fe7bb76ab0642c5cdef045f3fb503444
-
SHA1
897d4335eceb5a3f223e2a6b71d7d3d913319314
-
SHA256
a0cc0685feea750422c2e55f8875700cd27105dedb9b1cec6c590a432f9aa108
-
SHA512
b8172564fba7d6452da166820a60161658a8ef16c965eed1033428c9f79261738c94a0f852fdfd2eef52f96d4674748581b0b9b8c5d8c983c665d531e2f5fdbd
-
SSDEEP
98304:EpWmKDbPszYzjhmVTCFylzrXgTXlU16jWhBxdPj54pctkX9D1Lgp8GxFNTDq7jPI:E2DB2CWvgbOjnec6h1gTFNfq7jPfQ
Malware Config
Extracted
loaderbot
http://92.204.173.86/cmd.php
Targets
-
-
Target
9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9.exe
-
Size
6.5MB
-
MD5
310ad4f57eff4a82c55e34a2723dd283
-
SHA1
57aec7958f04644ce076e1c78df730cb698e31ad
-
SHA256
9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9
-
SHA512
66404b6d1c04cbea7b23321339aa99b0988f6a4a61d64b313e64ccb2fadc362b094a90c98e184927bd97f9993897038bc9fe4c3c07afdd27d632aefe3b5d3877
-
SSDEEP
196608:ly3FwVssRJTy/xr85Z3MBRDnglLOIeyqZ5:lGFWsyu8b96
Score10/10-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
LoaderBot executable
-
XMRig Miner payload
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-