Overview

overview

10

Static

static

1

9f7dfb962e...e9.exe

windows7-x64

10

9f7dfb962e...e9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9.zip

  • Size

    6.5MB

  • Sample

    230308-njnqxsga55

  • MD5

    24bc36d1f1e02258525ef5c4533c7739

  • SHA1

    1c6a331b9c927db14077aff431d9adbf6d9bcfdf

  • SHA256

    b982b2063c14bcb53226421e409b561dbd716aedcfa0ba24e11182fa50ad7431

  • SHA512

    df57ad97dda1341ad6012502009b3ff95d742c0d557fd9c9c1196c77589ea4faa57a0b1befea543f1b5898fb991f77a0ce7c408f28b532674086e12a0c87385a

  • SSDEEP

    196608:kJWxOFcNXWRm3N9bhUCgaThMFZzaDfKocg:DhNmRm3NF79ThS+f

Score
10/10
loaderbotxmrigevasionloaderminerpersistence

Malware Config

Extracted

Family

loaderbot

C2

http://92.204.173.86/cmd.php

Targets

    • Target

      9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9.exe

    • Size

      6.5MB

    • MD5

      310ad4f57eff4a82c55e34a2723dd283

    • SHA1

      57aec7958f04644ce076e1c78df730cb698e31ad

    • SHA256

      9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9

    • SHA512

      66404b6d1c04cbea7b23321339aa99b0988f6a4a61d64b313e64ccb2fadc362b094a90c98e184927bd97f9993897038bc9fe4c3c07afdd27d632aefe3b5d3877

    • SSDEEP

      196608:ly3FwVssRJTy/xr85Z3MBRDnglLOIeyqZ5:lGFWsyu8b96

    Score
    10/10
    loaderbotxmrigevasionloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks