mylobot | 8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d

General

Target

8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe
Size

36KB
MD5

d2338c78ee48e6dd1630c098bb6324e5
SHA1

278311f211e5dd14cb56b5867a53814ccfb0b50a
SHA256

8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d
SHA512

8908251799094022f5b417b2b0c909914ae6795bedf79259782df375471a6f6a788c56589de4ef2e8c818de12643ca3974a28de8822a2055cb10ade2e63e88fe
SSDEEP

384:0ewNOnxK8uiEejM/wHQqhrXxGm4hEEZ+DMsuTmex+HFY+EKWbwFt+AYt9SKSMQMv:eO8Ni5jfwqh0hSexnTbgJrGPwb

Score

10^/10

mylobot botnet persistence

Malware Config

Extracted

Family

mylobot

C2

onthestage.ru:6521

stanislasarnoud.ru:5739

krebson.ru:4685

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot

Executes dropped EXE 1 IoCs

pid	Process
1576	utcucgua.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blavv = "C:\\Users\\Admin\\AppData\\Roaming\\cpurauuh\\utcucgua.exe"	cmd.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1576	932	8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe	89
PID 932 wrote to memory of 1576	932	8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe	89
PID 932 wrote to memory of 1576	932	8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe	89
PID 1576 wrote to memory of 3992	1576	utcucgua.exe	90
PID 1576 wrote to memory of 3992	1576	utcucgua.exe	90
PID 1576 wrote to memory of 3992	1576	utcucgua.exe	90
PID 1576 wrote to memory of 3992	1576	utcucgua.exe	90
PID 1576 wrote to memory of 3992	1576	utcucgua.exe	90
PID 1576 wrote to memory of 3992	1576	utcucgua.exe	90
PID 1576 wrote to memory of 3992	1576	utcucgua.exe	90
PID 3992 wrote to memory of 1656	3992	cmd.exe	94
PID 3992 wrote to memory of 1656	3992	cmd.exe	94
PID 3992 wrote to memory of 1656	3992	cmd.exe	94
PID 3992 wrote to memory of 1656	3992	cmd.exe	94
PID 3992 wrote to memory of 1656	3992	cmd.exe	94
PID 3992 wrote to memory of 1656	3992	cmd.exe	94
PID 3992 wrote to memory of 1656	3992	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe
"C:\Users\Admin\AppData\Local\Temp\8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Roaming\cpurauuh\utcucgua.exe
  "C:\Users\Admin\AppData\Roaming\cpurauuh\utcucgua.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cpurauuh\utcucgua.exe

Filesize
36KB

MD5
d2338c78ee48e6dd1630c098bb6324e5

SHA1
278311f211e5dd14cb56b5867a53814ccfb0b50a

SHA256
8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d

SHA512
8908251799094022f5b417b2b0c909914ae6795bedf79259782df375471a6f6a788c56589de4ef2e8c818de12643ca3974a28de8822a2055cb10ade2e63e88fe

Download Submit
C:\Users\Admin\AppData\Roaming\cpurauuh\utcucgua.exe

Filesize
36KB

MD5
d2338c78ee48e6dd1630c098bb6324e5

SHA1
278311f211e5dd14cb56b5867a53814ccfb0b50a

SHA256
8848598d834c331cbdebd866377c14a0fb26b015fe48929551d45e70006dcf6d

SHA512
8908251799094022f5b417b2b0c909914ae6795bedf79259782df375471a6f6a788c56589de4ef2e8c818de12643ca3974a28de8822a2055cb10ade2e63e88fe

Download Submit
memory/1656-36-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1656-34-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1656-30-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/3992-15-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download
memory/3992-14-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3992-10-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/3992-16-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download
memory/3992-18-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download
memory/3992-19-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download
memory/3992-21-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download
memory/3992-8-0x0000000000630000-0x0000000000639000-memory.dmp

Filesize
36KB

Download
memory/3992-7-0x0000000000630000-0x0000000000639000-memory.dmp

Filesize
36KB

Download
memory/3992-6-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3992-5-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3992-37-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads