loaderbot | 176aebf3d17f832cf0f446b0da9f991c536b2997477ec654df0d70f4aa76c844

General

Target

eb78c56dd83f6b0dfb25534f987bbd37.exe
Size

2.0MB
MD5

eb78c56dd83f6b0dfb25534f987bbd37
SHA1

997abab8ec28378275933512ca31c0657489fe1d
SHA256

176aebf3d17f832cf0f446b0da9f991c536b2997477ec654df0d70f4aa76c844
SHA512

c50b33756ad37c3b4c240a56095cb6f12e39bd6ef7008e6ee6ea95922fd9079e7f50a17726e67489c19802a39c621e7e2d42a40093585f19051292afb4450b44
SSDEEP

49152:GMFTi8cSHuoa3W0E/Gc4iWQLgCEmjjZ9B444edBfB:GMFTiXyg3W0E+c4iWnmnZ9R4edBfB

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/4524-5-0x0000000000400000-0x00000000007FE000-memory.dmp	loaderbot

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral2/memory/4400-27-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-32-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-33-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-34-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-38-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-40-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-41-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-44-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-47-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-48-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4256-49-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	eb78c56dd83f6b0dfb25534f987bbd37.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	eb78c56dd83f6b0dfb25534f987bbd37.exe

Executes dropped EXE 2 IoCs

pid	Process
4400	Driver.exe
4256	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\eb78c56dd83f6b0dfb25534f987bbd37.exe"	eb78c56dd83f6b0dfb25534f987bbd37.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3168 set thread context of 4524	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4524	eb78c56dd83f6b0dfb25534f987bbd37.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe
Token: SeDebugPrivilege	4524	eb78c56dd83f6b0dfb25534f987bbd37.exe
Token: SeLockMemoryPrivilege	4400	Driver.exe
Token: SeLockMemoryPrivilege	4400	Driver.exe
Token: SeLockMemoryPrivilege	4256	Driver.exe
Token: SeLockMemoryPrivilege	4256	Driver.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 4524	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe	99
PID 3168 wrote to memory of 4524	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe	99
PID 3168 wrote to memory of 4524	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe	99
PID 3168 wrote to memory of 4524	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe	99
PID 3168 wrote to memory of 4524	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe	99
PID 3168 wrote to memory of 4524	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe	99
PID 3168 wrote to memory of 4524	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe	99
PID 3168 wrote to memory of 4524	3168	eb78c56dd83f6b0dfb25534f987bbd37.exe	99
PID 4524 wrote to memory of 4400	4524	eb78c56dd83f6b0dfb25534f987bbd37.exe	105
PID 4524 wrote to memory of 4400	4524	eb78c56dd83f6b0dfb25534f987bbd37.exe	105
PID 4524 wrote to memory of 4256	4524	eb78c56dd83f6b0dfb25534f987bbd37.exe	111
PID 4524 wrote to memory of 4256	4524	eb78c56dd83f6b0dfb25534f987bbd37.exe	111

C:\Users\Admin\AppData\Local\Temp\eb78c56dd83f6b0dfb25534f987bbd37.exe
"C:\Users\Admin\AppData\Local\Temp\eb78c56dd83f6b0dfb25534f987bbd37.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\Temp\eb78c56dd83f6b0dfb25534f987bbd37.exe
  C:\Users\Admin\AppData\Local\Temp\eb78c56dd83f6b0dfb25534f987bbd37.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49qmNae47gZdq65c6erFvGZixUnZC21E6K6MwMZP3ikMfdKxUAD7ztoV4n6ZpuBbBa1wE9iZsvmmLGdTZEdeNXUREUtUN52 -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49qmNae47gZdq65c6erFvGZixUnZC21E6K6MwMZP3ikMfdKxUAD7ztoV4n6ZpuBbBa1wE9iZsvmmLGdTZEdeNXUREUtUN52 -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eb78c56dd83f6b0dfb25534f987bbd37.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.0MB

MD5
2f2ca92fb4707141c80008f15091a72e

SHA1
c23429f2030d955cac96972097b60bd4fc74fc76

SHA256
7f9edf12bbb595790a8d076c2d0af793014b9babf59c0c69c9e66d5b928474d6

SHA512
589ce680e2c1dd48fc683462e201e9cc4d627974aa25560086ecd596671fee19f80db67c4d037dd204099dae6044fcc84eb251ee3758b9b9cceeaac274252e61

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
2.0MB

MD5
7df262b0116305b15f1c4bb038202cee

SHA1
f90df86c72aae36c274ce75e2347ffea35efb651

SHA256
2a27bb3c1b87688bf6af881dc3d148fbb47bff1472424cc48786889ee2dea74e

SHA512
db49ebfe0fb2cfc0faa4561b49878d5627ee468aa2e58c982dfcf570d41a3f41376e7ec82cb00ba2323bf860e461d2dd099d145b16e50ca05c89130ee0e32eec

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
1.6MB

MD5
4ee44a5088d055b1c608105d9acce954

SHA1
152034d331637ae7ef7b3dd62a1f874a7f130305

SHA256
2499abd17b162b3aad0b3a073bbada1c37fa00473894afcaa1ce33a4a0c66990

SHA512
e1c21c81380eda68bd6121f8977f49ccc57067b747962e278861c5372f91d2df94aee5359327d55fef6fc70cc3e3786c367d3aa2e9880076ce14af3af8b0b911

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
277KB

MD5
3959a82511c35b69b0c2a54446008690

SHA1
23cdf843a94cff49816669b79a98a6d5185fd793

SHA256
cd7968a47dca0f9a82aede42dc0471ad65585e55b6f484c17bf0f721a03734f8

SHA512
116e7485a6071385fcad1d60f59389a9fec1021a0a9e2f3e4286dfcabc1b78a7526cc56f3cd1853c7ccf8b844351fa33427c22b5cbed69d779f88b38d3acf2b6

Download Submit
memory/3168-1-0x0000000000650000-0x0000000000848000-memory.dmp

Filesize
2.0MB

Download
memory/3168-3-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/3168-2-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/3168-4-0x00000000051E0000-0x0000000005208000-memory.dmp

Filesize
160KB

Download
memory/3168-0-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/3168-9-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4256-38-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4256-42-0x0000000000550000-0x0000000000570000-memory.dmp

Filesize
128KB

Download
memory/4256-49-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4256-48-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4256-47-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4256-46-0x00000000139E0000-0x0000000013A00000-memory.dmp

Filesize
128KB

Download
memory/4256-45-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/4256-44-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4256-43-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/4256-31-0x0000000000530000-0x0000000000550000-memory.dmp

Filesize
128KB

Download
memory/4256-32-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4256-33-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4256-34-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4256-35-0x0000000000550000-0x0000000000570000-memory.dmp

Filesize
128KB

Download
memory/4256-36-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/4256-37-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/4256-41-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4256-39-0x00000000139E0000-0x0000000013A00000-memory.dmp

Filesize
128KB

Download
memory/4256-40-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4400-27-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4400-26-0x0000000000510000-0x0000000000524000-memory.dmp

Filesize
80KB

Download
memory/4400-24-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4524-14-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4524-5-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4524-30-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/4524-8-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4524-12-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/4524-13-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads