mylobot | 70b6dde721d6dd8048ce2b832b581b04b35161efa3ab41659addd8e61ea4ff30

General

Target

789.exe
Size

212KB
MD5

d0a09a576bda333bdd0c774d30e3c87a
SHA1

806b8e83860eca7f9c5f50baaa916589e294bc8a
SHA256

70b6dde721d6dd8048ce2b832b581b04b35161efa3ab41659addd8e61ea4ff30
SHA512

da9e9abdb023909fd615fa2b250232de69341940ab39243844eaf79e3457dc41e79bdc4b29cc83829d53543f84d1e64f1ce2a9ce8c90ec93a99b05e033e0d80e
SSDEEP

1536:Nvl9eja1se+nsngcxNEsYMltfMpx7p5AzwB5GEvVVWbmZvM3R8krfaL+ETWfF99F:Nvln1p+nC7fUn5VVccPTWfFIzeSS

Score

10^/10

mylobot botnet persistence

Malware Config

Extracted

Family

mylobot

C2

eakalra.ru:1281

op17.ru:6006

ad21822.ru:8742

urtuifc.ru:1692

nmernrh.ru:4163

bjbhtsc.ru:6239

jmbfgpn.ru:1344

hoebfle.ru:9593

okllxlr.ru:8335

klqzrze.ru:6999

xwstyrt.ru:8627

qgfhmmm.ru:1886

ygdgryq.ru:5843

unsyisl.ru:7365

snzglco.ru:3268

fchbwme.ru:7533

iqaagar.ru:2919

flkpuod.ru:5796

zuenhrs.ru:9439

lqejyjg.ru:4627

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot

Deletes itself 1 IoCs

Processes:

svchost.exe

pid	Process
804	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7523D609-6BD4-3366-7916-1C92DC9CEED6} = "c:\\programdata\\{E933FE39-43E4-AF76-7916-1C92DC9CEED6}\\448c2ea6.exe"	svchost.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

789.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	789.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	789.exe

Modifies registry class 3 IoCs

Processes:

svchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{B316D9C4-6419-F553-7916-1C92DC9CEED6}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{E933FE3A-43E7-AF76-7916-1C92DC9CEED6}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{E933FE3A-43E7-AF76-7916-1C92DC9CEED6}\ = "1698891589"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

789.exesvchost.exe

pid	Process
2116	789.exe
2116	789.exe
804	svchost.exe
804	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

789.exe

pid	Process
2116	789.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

789.exesvchost.exe

description	pid	Process	procid_target
PID 2116 wrote to memory of 804	2116	789.exe	84
PID 2116 wrote to memory of 804	2116	789.exe	84
PID 2116 wrote to memory of 804	2116	789.exe	84
PID 2116 wrote to memory of 804	2116	789.exe	84
PID 804 wrote to memory of 2116	804	svchost.exe	83
PID 804 wrote to memory of 2368	804	svchost.exe	85
PID 804 wrote to memory of 2368	804	svchost.exe	85
PID 804 wrote to memory of 2368	804	svchost.exe	85
PID 804 wrote to memory of 2368	804	svchost.exe	85
PID 804 wrote to memory of 2368	804	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\789.exe
"C:\Users\Admin\AppData\Local\Temp\789.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Deletes itself
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{E933FE39-43E4-AF76-7916-1C92DC9CEED6}\448c2ea6.exe

Filesize
212KB

MD5
d0a09a576bda333bdd0c774d30e3c87a

SHA1
806b8e83860eca7f9c5f50baaa916589e294bc8a

SHA256
70b6dde721d6dd8048ce2b832b581b04b35161efa3ab41659addd8e61ea4ff30

SHA512
da9e9abdb023909fd615fa2b250232de69341940ab39243844eaf79e3457dc41e79bdc4b29cc83829d53543f84d1e64f1ce2a9ce8c90ec93a99b05e033e0d80e

Download Submit
memory/804-0-0x0000000000CE0000-0x0000000000D15000-memory.dmp

Filesize
212KB

Download
memory/804-1-0x0000000000CE0000-0x0000000000D15000-memory.dmp

Filesize
212KB

Download
memory/804-2-0x0000000000CE0000-0x0000000000D15000-memory.dmp

Filesize
212KB

Download
memory/804-4-0x0000000000CE0000-0x0000000000D15000-memory.dmp

Filesize
212KB

Download
memory/804-5-0x0000000000CE0000-0x0000000000D15000-memory.dmp

Filesize
212KB

Download
memory/804-3-0x0000000000CE0000-0x0000000000D15000-memory.dmp

Filesize
212KB

Download
memory/804-7-0x0000000000CE0000-0x0000000000D15000-memory.dmp

Filesize
212KB

Download
memory/804-8-0x0000000000CE0000-0x0000000000D15000-memory.dmp

Filesize
212KB

Download
memory/2368-6-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads