mylobot | 533eea9cea752b72c34cd94727cb6d536e8153f01a61a61cdc367080c474d268 | Triage

Sharing

General

Target

EXonts.gif
Size

110KB
Sample

230819-pmzs2ahh27
MD5

ad4dcd0935d159515de56dbb9bb42402
SHA1

c4a309ad63dddd4c3a94cd6da13629a0a0d5d9b0
SHA256

533eea9cea752b72c34cd94727cb6d536e8153f01a61a61cdc367080c474d268
SHA512

8c117ca7415236f5196ac8d62f2749f5dfba35e6632fc4adf51c8885e241570435182b2dcf23eed7da7c2b18384dbdfac40b2788281010f5f49934dc6f5c1064
SSDEEP

1536:wLE75HunPrf5WR8LK9OY0zm778folWR8g2l7/FpiBtAJ0EZil1gHGXyvy0Ona:wRf5WRZOY0z0MWlf/QaJhuloyxa

Score

10^/10

mylobot botnet persistence

Malware Config

Extracted

Family

mylobot

C2

onthestage.ru:6521

stanislasarnoud.ru:5739

krebson.ru:4685

Targets

- Target
  
  EXonts.gif
- Size
  
  110KB
- MD5
  
  ad4dcd0935d159515de56dbb9bb42402
- SHA1
  
  c4a309ad63dddd4c3a94cd6da13629a0a0d5d9b0
- SHA256
  
  533eea9cea752b72c34cd94727cb6d536e8153f01a61a61cdc367080c474d268
- SHA512
  
  8c117ca7415236f5196ac8d62f2749f5dfba35e6632fc4adf51c8885e241570435182b2dcf23eed7da7c2b18384dbdfac40b2788281010f5f49934dc6f5c1064
- SSDEEP
  
  1536:wLE75HunPrf5WR8LK9OY0zm778folWR8g2l7/FpiBtAJ0EZil1gHGXyvy0Ona:wRf5WRZOY0z0MWlf/QaJhuloyxa
Score

10^/10

mylobot botnet persistence
- Mylobot
  Botnet which first appeared in 2017 written in C++.
  botnet mylobot
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mylobotbotnetpersistence