mylobot | 8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d

General

Target

8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe
Size

36KB
MD5

d2338c78ee48e6dd1630c098bb6324e5
SHA1

278311f211e5dd14cb56b5867a53814ccfb0b50a
SHA256

8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d
SHA512

8908251799094022f5b417b2b0c909914ae6795bedf79259782df375471a6f6a788c56589de4ef2e8c818de12643ca3974a28de8822a2055cb10ade2e63e88fe
SSDEEP

384:0ewNOnxK8uiEejM/wHQqhrXxGm4hEEZ+DMsuTmex+HFY+EKWbwFt+AYt9SKSMQMv:eO8Ni5jfwqh0hSexnTbgJrGPwb

Score

10^/10

mylobot botnet persistence

Malware Config

Extracted

Family

mylobot

C2

onthestage.ru:6521

stanislasarnoud.ru:5739

krebson.ru:4685

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot

Executes dropped EXE 1 IoCs

pid	Process
2196	uebupqus.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe
2116	8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgxex = "C:\\Users\\Admin\\AppData\\Roaming\\ceugbuag\\uebupqus.exe"	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2196	2116	8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe	28
PID 2116 wrote to memory of 2196	2116	8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe	28
PID 2116 wrote to memory of 2196	2116	8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe	28
PID 2116 wrote to memory of 2196	2116	8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe	28
PID 2196 wrote to memory of 1716	2196	uebupqus.exe	29
PID 2196 wrote to memory of 1716	2196	uebupqus.exe	29
PID 2196 wrote to memory of 1716	2196	uebupqus.exe	29
PID 2196 wrote to memory of 1716	2196	uebupqus.exe	29
PID 2196 wrote to memory of 1716	2196	uebupqus.exe	29
PID 2196 wrote to memory of 1716	2196	uebupqus.exe	29
PID 2196 wrote to memory of 1716	2196	uebupqus.exe	29
PID 2196 wrote to memory of 1716	2196	uebupqus.exe	29
PID 1716 wrote to memory of 1956	1716	cmd.exe	31
PID 1716 wrote to memory of 1956	1716	cmd.exe	31
PID 1716 wrote to memory of 1956	1716	cmd.exe	31
PID 1716 wrote to memory of 1956	1716	cmd.exe	31
PID 1716 wrote to memory of 1956	1716	cmd.exe	31
PID 1716 wrote to memory of 1956	1716	cmd.exe	31
PID 1716 wrote to memory of 1956	1716	cmd.exe	31
PID 1716 wrote to memory of 1956	1716	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe
"C:\Users\Admin\AppData\Local\Temp\8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Roaming\ceugbuag\uebupqus.exe
  "C:\Users\Admin\AppData\Roaming\ceugbuag\uebupqus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ceugbuag\uebupqus.exe

Filesize
36KB

MD5
d2338c78ee48e6dd1630c098bb6324e5

SHA1
278311f211e5dd14cb56b5867a53814ccfb0b50a

SHA256
8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d

SHA512
8908251799094022f5b417b2b0c909914ae6795bedf79259782df375471a6f6a788c56589de4ef2e8c818de12643ca3974a28de8822a2055cb10ade2e63e88fe

Download Submit
C:\Users\Admin\AppData\Roaming\ceugbuag\uebupqus.exe

Filesize
36KB

MD5
d2338c78ee48e6dd1630c098bb6324e5

SHA1
278311f211e5dd14cb56b5867a53814ccfb0b50a

SHA256
8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d

SHA512
8908251799094022f5b417b2b0c909914ae6795bedf79259782df375471a6f6a788c56589de4ef2e8c818de12643ca3974a28de8822a2055cb10ade2e63e88fe

Download Submit
C:\Users\Admin\AppData\Roaming\ceugbuag\uebupqus.exe

Filesize
36KB

MD5
d2338c78ee48e6dd1630c098bb6324e5

SHA1
278311f211e5dd14cb56b5867a53814ccfb0b50a

SHA256
8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d

SHA512
8908251799094022f5b417b2b0c909914ae6795bedf79259782df375471a6f6a788c56589de4ef2e8c818de12643ca3974a28de8822a2055cb10ade2e63e88fe

Download Submit
\Users\Admin\AppData\Roaming\ceugbuag\uebupqus.exe

Filesize
36KB

MD5
d2338c78ee48e6dd1630c098bb6324e5

SHA1
278311f211e5dd14cb56b5867a53814ccfb0b50a

SHA256
8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d

SHA512
8908251799094022f5b417b2b0c909914ae6795bedf79259782df375471a6f6a788c56589de4ef2e8c818de12643ca3974a28de8822a2055cb10ade2e63e88fe

Download Submit
\Users\Admin\AppData\Roaming\ceugbuag\uebupqus.exe

Filesize
36KB

MD5
d2338c78ee48e6dd1630c098bb6324e5

SHA1
278311f211e5dd14cb56b5867a53814ccfb0b50a

SHA256
8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d

SHA512
8908251799094022f5b417b2b0c909914ae6795bedf79259782df375471a6f6a788c56589de4ef2e8c818de12643ca3974a28de8822a2055cb10ade2e63e88fe

Download Submit
memory/1716-25-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1716-30-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1716-14-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/1716-16-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/1716-19-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1716-13-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1716-26-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1716-27-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1716-32-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1716-10-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1716-29-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1716-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1716-36-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1716-55-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1716-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1956-53-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1956-51-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1956-45-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads