Overview

overview

10

Static

static

1

9f7dfb962e...e9.exe

windows7-x64

10

9f7dfb962e...e9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9.zip

  • Size

    6.5MB

  • Sample

    230311-s63ktaca7v

  • MD5

    984636a603d1aebb01f8790eaddc3eb4

  • SHA1

    6ce8062825623e0e843182cfdc6b038f9ae60827

  • SHA256

    49c6889f230d15d2b6b1f09f912fac0e780bb16f55bcdb7c2f8376a119209672

  • SHA512

    6d71f7c43358189eb48029c97f3e1cd5ee59cfffa4e7e1215e42004ca60010be2d5fadd63e7fc9e04150524c4432702e006ab09830eecd01076d772cdeefb876

  • SSDEEP

    98304:X75wWoe1mV2njBA9FI409ZA7NyLMgsn6y73xHSUFVe/nwWZYF4ScwXFYEVWqeg85:X75FHFG9FiiyLM++xHNFNWWFd315Akj+

Score
10/10
loaderbotxmrigevasionloaderminerpersistence

Malware Config

Extracted

Family

loaderbot

C2

http://92.204.173.86/cmd.php

Targets

    • Target

      9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9.exe

    • Size

      6.5MB

    • MD5

      310ad4f57eff4a82c55e34a2723dd283

    • SHA1

      57aec7958f04644ce076e1c78df730cb698e31ad

    • SHA256

      9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9

    • SHA512

      66404b6d1c04cbea7b23321339aa99b0988f6a4a61d64b313e64ccb2fadc362b094a90c98e184927bd97f9993897038bc9fe4c3c07afdd27d632aefe3b5d3877

    • SSDEEP

      196608:ly3FwVssRJTy/xr85Z3MBRDnglLOIeyqZ5:lGFWsyu8b96

    Score
    10/10
    loaderbotxmrigevasionloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks