Overview

overview

10

Static

static

3

NEAS.99bba...JC.exe

windows7-x64

10

NEAS.99bba...JC.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEAS.99bba4b98096259772dc0c12f0ebb3b3ff275f4babf75caa380e94e3dbed90c9exe_JC.exe

  • Size

    501KB

  • Sample

    231023-v75gxabf5v

  • MD5

    b1f7d94305e0f729964239a69bffe320

  • SHA1

    2fb02ffda0ce1fc5d719b9b79f2cdc2a0ead863a

  • SHA256

    99bba4b98096259772dc0c12f0ebb3b3ff275f4babf75caa380e94e3dbed90c9

  • SHA512

    3d6089b7b0f430020bb3a21e21aedbff81c28e8e97bb44c8b0fd6af1ea4bf6356a34b9bdf56bcdf51533dab48fa6446b825e1dbaa8ed38b380222f81bca03a45

  • SSDEEP

    12288:VFTTWyVmRw8r6+y3QqBZAnYanJ252Wjx1ZP2BJ4iP:VFxVn8m+y3QqBZ6RK11Zw4q

Score
10/10
loaderbotxmrigdiscoveryevasionloaderminerpersistencespywarestealerthemidatrojan

Malware Config

Targets

    • Target

      NEAS.99bba4b98096259772dc0c12f0ebb3b3ff275f4babf75caa380e94e3dbed90c9exe_JC.exe

    • Size

      501KB

    • MD5

      b1f7d94305e0f729964239a69bffe320

    • SHA1

      2fb02ffda0ce1fc5d719b9b79f2cdc2a0ead863a

    • SHA256

      99bba4b98096259772dc0c12f0ebb3b3ff275f4babf75caa380e94e3dbed90c9

    • SHA512

      3d6089b7b0f430020bb3a21e21aedbff81c28e8e97bb44c8b0fd6af1ea4bf6356a34b9bdf56bcdf51533dab48fa6446b825e1dbaa8ed38b380222f81bca03a45

    • SSDEEP

      12288:VFTTWyVmRw8r6+y3QqBZAnYanJ252Wjx1ZP2BJ4iP:VFxVn8m+y3QqBZ6RK11Zw4q

    Score
    10/10
    loaderbotxmrigdiscoveryevasionloaderminerpersistencespywarestealerthemidatrojan

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks