mylobot | a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560

General

Target

a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe
Size

36KB
MD5

5f2aff67459bfdb75f1dd51f3a2b380f
SHA1

9939563ac43b09fbcca6ca32630084df55e07746
SHA256

a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560
SHA512

6e2acb78db850ba82b0e37f4d70196c908316b28f6bda565ae086292b48bab513860fffc2f1970fbf1575c6bb0a665b09d96733833c5f2cec18c0deac96345c4
SSDEEP

768:zOEMiDQsGijtlhlgJTRDrfYLfGPwbuUT:aRV2t/S7Dr0yUT

Score

10^/10

mylobot botnet persistence

Malware Config

Extracted

Family

mylobot

C2

fywkuzp.ru:6391

zdrussle.ru:4507

pseyumd.ru:8597

stydodo.ru:7094

wasyellowindexhotel.ru:7393

fywkuzp.ru:6401

rxzyglt.ru:1973

qhrywlc.ru:8926

fgqjwdl.ru:3485

qwwzlam.ru:5576

dqoudex.ru:7396

ssopuyk.ru:3367

gqlgpob.ru:8977

yboqlxs.ru:9336

qmwekpe.ru:1343

pyjhhpx.ru:6769

qyccsug.ru:4256

nrxboty.ru:3757

reczrhm.ru:2587

uzpadrm.ru:4254

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot

Executes dropped EXE 1 IoCs

Processes:

urtuhfut.exe

pid	Process
1456	urtuhfut.exe

Loads dropped DLL 2 IoCs

Processes:

a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe

pid	Process
3012	a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe
3012	a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwvqe = "C:\\Users\\Admin\\AppData\\Roaming\\seubtuxd\\urtuhfut.exe"	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exeurtuhfut.execmd.exe

description	pid	Process	procid_target
PID 3012 wrote to memory of 1456	3012	a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe	30
PID 3012 wrote to memory of 1456	3012	a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe	30
PID 3012 wrote to memory of 1456	3012	a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe	30
PID 3012 wrote to memory of 1456	3012	a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe	30
PID 1456 wrote to memory of 2136	1456	urtuhfut.exe	31
PID 1456 wrote to memory of 2136	1456	urtuhfut.exe	31
PID 1456 wrote to memory of 2136	1456	urtuhfut.exe	31
PID 1456 wrote to memory of 2136	1456	urtuhfut.exe	31
PID 1456 wrote to memory of 2136	1456	urtuhfut.exe	31
PID 1456 wrote to memory of 2136	1456	urtuhfut.exe	31
PID 1456 wrote to memory of 2136	1456	urtuhfut.exe	31
PID 1456 wrote to memory of 2136	1456	urtuhfut.exe	31
PID 2136 wrote to memory of 2768	2136	cmd.exe	33
PID 2136 wrote to memory of 2768	2136	cmd.exe	33
PID 2136 wrote to memory of 2768	2136	cmd.exe	33
PID 2136 wrote to memory of 2768	2136	cmd.exe	33
PID 2136 wrote to memory of 2768	2136	cmd.exe	33
PID 2136 wrote to memory of 2768	2136	cmd.exe	33
PID 2136 wrote to memory of 2768	2136	cmd.exe	33
PID 2136 wrote to memory of 2768	2136	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe
"C:\Users\Admin\AppData\Local\Temp\a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Roaming\seubtuxd\urtuhfut.exe
  "C:\Users\Admin\AppData\Roaming\seubtuxd\urtuhfut.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\seubtuxd\urtuhfut.exe

Filesize
36KB

MD5
5f2aff67459bfdb75f1dd51f3a2b380f

SHA1
9939563ac43b09fbcca6ca32630084df55e07746

SHA256
a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560

SHA512
6e2acb78db850ba82b0e37f4d70196c908316b28f6bda565ae086292b48bab513860fffc2f1970fbf1575c6bb0a665b09d96733833c5f2cec18c0deac96345c4

Download Submit
C:\Users\Admin\AppData\Roaming\seubtuxd\urtuhfut.exe

Filesize
36KB

MD5
5f2aff67459bfdb75f1dd51f3a2b380f

SHA1
9939563ac43b09fbcca6ca32630084df55e07746

SHA256
a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560

SHA512
6e2acb78db850ba82b0e37f4d70196c908316b28f6bda565ae086292b48bab513860fffc2f1970fbf1575c6bb0a665b09d96733833c5f2cec18c0deac96345c4

Download Submit
C:\Users\Admin\AppData\Roaming\seubtuxd\urtuhfut.exe

Filesize
36KB

MD5
5f2aff67459bfdb75f1dd51f3a2b380f

SHA1
9939563ac43b09fbcca6ca32630084df55e07746

SHA256
a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560

SHA512
6e2acb78db850ba82b0e37f4d70196c908316b28f6bda565ae086292b48bab513860fffc2f1970fbf1575c6bb0a665b09d96733833c5f2cec18c0deac96345c4

Download Submit
\Users\Admin\AppData\Roaming\seubtuxd\urtuhfut.exe

Filesize
36KB

MD5
5f2aff67459bfdb75f1dd51f3a2b380f

SHA1
9939563ac43b09fbcca6ca32630084df55e07746

SHA256
a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560

SHA512
6e2acb78db850ba82b0e37f4d70196c908316b28f6bda565ae086292b48bab513860fffc2f1970fbf1575c6bb0a665b09d96733833c5f2cec18c0deac96345c4

Download Submit
\Users\Admin\AppData\Roaming\seubtuxd\urtuhfut.exe

Filesize
36KB

MD5
5f2aff67459bfdb75f1dd51f3a2b380f

SHA1
9939563ac43b09fbcca6ca32630084df55e07746

SHA256
a41daba8424dc768e8591846a0cf334807bc6a05c712e8a13b7e1bf98b341560

SHA512
6e2acb78db850ba82b0e37f4d70196c908316b28f6bda565ae086292b48bab513860fffc2f1970fbf1575c6bb0a665b09d96733833c5f2cec18c0deac96345c4

Download Submit
memory/2136-78-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2136-86-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/2136-67-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/2136-69-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/2136-72-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2136-63-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2136-79-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/2136-81-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/2136-83-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/2136-66-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2136-84-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/2136-88-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/2136-111-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/2136-110-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2768-108-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/2768-109-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/2768-107-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2768-101-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads