Overview

overview

10

Static

static

1

9f7dfb962e...e9.exe

windows7-x64

10

9f7dfb962e...e9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9.zip

  • Size

    6.5MB

  • Sample

    230308-pz1absad61

  • MD5

    18d014f3c710d1f1aff0544037e7c30c

  • SHA1

    8fab73f7603b0ce177dac5695d314acd5d1b8429

  • SHA256

    53ba77ccfcea81735fd983799f3bb98145cf1e801b32f57c50f4fcf2d4ea3c8e

  • SHA512

    25a385e12ae96f0e601655990a9107d4d600544c81b3738c1ef8f368e23a5a602e86dd21e8fc50a05c541671d1a9c999d8ebbfab60d60d09d94964434fc75c6d

  • SSDEEP

    196608:Maq+ML1aHDfoPwaHJ9wWznRMM9k2s59ag:V2rPFH/wWzQ2szj

Score
10/10
loaderbotxmrigevasionloaderminerpersistence

Malware Config

Extracted

Family

loaderbot

C2

http://92.204.173.86/cmd.php

Targets

    • Target

      9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9.exe

    • Size

      6.5MB

    • MD5

      310ad4f57eff4a82c55e34a2723dd283

    • SHA1

      57aec7958f04644ce076e1c78df730cb698e31ad

    • SHA256

      9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9

    • SHA512

      66404b6d1c04cbea7b23321339aa99b0988f6a4a61d64b313e64ccb2fadc362b094a90c98e184927bd97f9993897038bc9fe4c3c07afdd27d632aefe3b5d3877

    • SSDEEP

      196608:ly3FwVssRJTy/xr85Z3MBRDnglLOIeyqZ5:lGFWsyu8b96

    Score
    10/10
    loaderbotxmrigevasionloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks