mylobot | b14743519ca2f7477f3f24050203b97a5df64d20fb3cd12b6455bdd0271b6f2a

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

584c115e2d68d99c1bbf33f01a795295.exe
Size

339KB
MD5

584c115e2d68d99c1bbf33f01a795295
SHA1

aecafef6df8304bf7a1bba821a3303075523a677
SHA256

b14743519ca2f7477f3f24050203b97a5df64d20fb3cd12b6455bdd0271b6f2a
SHA512

bae2bd68d6e804407841a4a3ade1350c9d960521a5337027f7fffe4304e9875f3ec048003212dc8c8eb8094fed53af425cecae1950e6c1a2ff3d7bd68496fc44
SSDEEP

6144:PL0jtKk5nAOXg/oaeIFSl+hDGSlsKiy8Gu5xZ5cLc:PyKqnFwBFSl+hDRsp8GxZCLc

Score

10^/10

mylobot botnet persistence

Malware Config

Extracted

Family

mylobot

op17.ru:6006

eakalra.ru:1281

zgclgdb.ru:8518

hpifnad.ru:3721

lbjcwix.ru:8326

rykacfb.ru:8483

benkofx.ru:3333

fpzskbc.ru:9364

ouxtjzd.ru:8658

schwpxp.ru:2956

pspkgya.ru:2675

lmlwtdm.ru:2768

rzwnsph.ru:5898

awtiwzk.ru:9816

pzljenb.ru:3486

yhjtpyf.ru:3565

ogkbsoq.ru:2553

rjngcbj.ru:5655

jlfeopz.ru:4698

wqcruiz.ru:2165

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{38D489B5-9D02-AF0D-1FF1-0073CE2A6CEA} = "c:\\programdata\\{A4C4A185-B532-331D-1FF1-0073CE2A6CEA}\\097b711a.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3028	2196	WerFault.exe	1

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{A4C4A186-B531-331D-1FF1-0073CE2A6CEA}\ = "1703008868"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{FEE18678-92CF-6938-1FF1-0073CE2A6CEA}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{A4C4A186-B531-331D-1FF1-0073CE2A6CEA}	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1644	584c115e2d68d99c1bbf33f01a795295.exe
1644	584c115e2d68d99c1bbf33f01a795295.exe
2620	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1644	584c115e2d68d99c1bbf33f01a795295.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 2132	2196	584c115e2d68d99c1bbf33f01a795295.exe	29
PID 2196 wrote to memory of 2132	2196	584c115e2d68d99c1bbf33f01a795295.exe	29
PID 2196 wrote to memory of 2132	2196	584c115e2d68d99c1bbf33f01a795295.exe	29
PID 2196 wrote to memory of 2132	2196	584c115e2d68d99c1bbf33f01a795295.exe	29
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 2132	2196	584c115e2d68d99c1bbf33f01a795295.exe	29
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 2132	2196	584c115e2d68d99c1bbf33f01a795295.exe	29
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 2132	2196	584c115e2d68d99c1bbf33f01a795295.exe	29
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 2132	2196	584c115e2d68d99c1bbf33f01a795295.exe	29
PID 2196 wrote to memory of 1644	2196	584c115e2d68d99c1bbf33f01a795295.exe	28
PID 2196 wrote to memory of 2132	2196	584c115e2d68d99c1bbf33f01a795295.exe	29
PID 1644 wrote to memory of 2620	1644	584c115e2d68d99c1bbf33f01a795295.exe	31
PID 1644 wrote to memory of 2620	1644	584c115e2d68d99c1bbf33f01a795295.exe	31
PID 1644 wrote to memory of 2620	1644	584c115e2d68d99c1bbf33f01a795295.exe	31
PID 1644 wrote to memory of 2620	1644	584c115e2d68d99c1bbf33f01a795295.exe	31
PID 1644 wrote to memory of 2620	1644	584c115e2d68d99c1bbf33f01a795295.exe	31
PID 2620 wrote to memory of 1644	2620	svchost.exe	28
PID 2620 wrote to memory of 1644	2620	svchost.exe	28
PID 2620 wrote to memory of 2132	2620	svchost.exe	29
PID 2620 wrote to memory of 2132	2620	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\584c115e2d68d99c1bbf33f01a795295.exe
"C:\Users\Admin\AppData\Local\Temp\584c115e2d68d99c1bbf33f01a795295.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\584c115e2d68d99c1bbf33f01a795295.exe
  "C:\Users\Admin\AppData\Local\Temp\584c115e2d68d99c1bbf33f01a795295.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\584c115e2d68d99c1bbf33f01a795295.exe
  "C:\Users\Admin\AppData\Local\Temp\584c115e2d68d99c1bbf33f01a795295.exe"
  2⤵
  PID:2132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 132
  2⤵
  - Program crash
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{A4C4A185-B532-331D-1FF1-0073CE2A6CEA}\097b711a.exe

Filesize
339KB

MD5
584c115e2d68d99c1bbf33f01a795295

SHA1
aecafef6df8304bf7a1bba821a3303075523a677

SHA256
b14743519ca2f7477f3f24050203b97a5df64d20fb3cd12b6455bdd0271b6f2a

SHA512
bae2bd68d6e804407841a4a3ade1350c9d960521a5337027f7fffe4304e9875f3ec048003212dc8c8eb8094fed53af425cecae1950e6c1a2ff3d7bd68496fc44

Download Submit
memory/1644-38-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1644-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-29-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1644-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2132-45-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2196-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2196-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2620-32-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2620-33-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2620-34-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2620-35-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2620-31-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2620-36-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2620-46-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2620-30-0x0000000000080000-0x00000000000D5000-memory.dmp

Filesize
340KB

Download