loaderbot | 170f1bfffbf3fa5ec4cac475209b00e9e8478565c79cb28fa442fabf89ba9079

General

Target

245f2e7c93f989165dc8d410823c4023.exe
Size

1.9MB
MD5

245f2e7c93f989165dc8d410823c4023
SHA1

d82877fdf16e0091957d6ac9cefc638e08694c91
SHA256

170f1bfffbf3fa5ec4cac475209b00e9e8478565c79cb28fa442fabf89ba9079
SHA512

1fbb6fd0f6743e3e595570a4e6fdb3fa0a7bc2a7aed16ce72ad8e349770c1d181e681600381e0ff5016612637a2be632e5e03dae011fe768502a381f95aff865
SSDEEP

49152:pM2OSAUhB0ETI++BrpMLdDQXWb+FPWRjl:pM2DD5IhBrpCFQXk+FPWFl

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral2/memory/5036-9-0x0000000000400000-0x00000000007FE000-memory.dmp	loaderbot
behavioral2/memory/5036-16-0x00000000058C0000-0x00000000058D0000-memory.dmp	loaderbot

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/4172-31-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	245f2e7c93f989165dc8d410823c4023.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\245f2e7c93f989165dc8d410823c4023.exe"	245f2e7c93f989165dc8d410823c4023.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4692 set thread context of 5036	4692	245f2e7c93f989165dc8d410823c4023.exe	99

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5036	245f2e7c93f989165dc8d410823c4023.exe
5036	245f2e7c93f989165dc8d410823c4023.exe
5036	245f2e7c93f989165dc8d410823c4023.exe
5036	245f2e7c93f989165dc8d410823c4023.exe
5036	245f2e7c93f989165dc8d410823c4023.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5036	245f2e7c93f989165dc8d410823c4023.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	245f2e7c93f989165dc8d410823c4023.exe
Token: SeDebugPrivilege	5036	245f2e7c93f989165dc8d410823c4023.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3944	4692	245f2e7c93f989165dc8d410823c4023.exe	100
PID 4692 wrote to memory of 3944	4692	245f2e7c93f989165dc8d410823c4023.exe	100
PID 4692 wrote to memory of 3944	4692	245f2e7c93f989165dc8d410823c4023.exe	100
PID 4692 wrote to memory of 5036	4692	245f2e7c93f989165dc8d410823c4023.exe	99
PID 4692 wrote to memory of 5036	4692	245f2e7c93f989165dc8d410823c4023.exe	99
PID 4692 wrote to memory of 5036	4692	245f2e7c93f989165dc8d410823c4023.exe	99
PID 4692 wrote to memory of 5036	4692	245f2e7c93f989165dc8d410823c4023.exe	99
PID 4692 wrote to memory of 5036	4692	245f2e7c93f989165dc8d410823c4023.exe	99
PID 4692 wrote to memory of 5036	4692	245f2e7c93f989165dc8d410823c4023.exe	99
PID 4692 wrote to memory of 5036	4692	245f2e7c93f989165dc8d410823c4023.exe	99
PID 4692 wrote to memory of 5036	4692	245f2e7c93f989165dc8d410823c4023.exe	99

C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
"C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    PID:4172
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    PID:1312
- C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  2⤵
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\245f2e7c93f989165dc8d410823c4023.exe.log

Filesize
605B

MD5
3654bd2c6957761095206ffdf92b0cb9

SHA1
6f10f7b5867877de7629afcff644c265e79b4ad3

SHA256
c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4

SHA512
e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
117KB

MD5
2f74f517158614217de5b1aa580f4cb8

SHA1
1a0602de7c93aa18f08dc2415039eb76180bfd7e

SHA256
2789efba3987e6854a68b90dac438c1bc70f8ab0e6aa9b417002c070cc8a8ff8

SHA512
29f003d2b6dbf8aa5a6467a1b94db553b9956384667e922dbb5e12de3e94c61cf201e59bc144468627fc4cc76acb6612aa06bc8620193b3f0b94b2822d2fdf15

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
317KB

MD5
6be1975de6e28ce0b09df193d4ace063

SHA1
48992977fb11dc52ee24789c1575f81965eb512a

SHA256
66f51e2482ee70516b50c3e5288cdf9d574849c6df0f32e9fba2f60911b24e48

SHA512
9bd5c816ae11e3051767f52d8b3bd0acac0ceda7ad3988641884a4aa5b9f33bca3411765e614480d8d5af837594667572073bb661615a2074ddbf173f79fccab

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
168KB

MD5
823ea9ab8928fd93e1e27f8dbdca730e

SHA1
b455d144cb6c9ed368b08f2e6fe6cf241426b32a

SHA256
1d13128e41a3079804bbf0d6218e9411f1315fe17e4f1789a687b98674acdeb6

SHA512
a4fe254be4b793fa4e11530f83119f0b4abdee06e28a193824b871126e9a93fb65c1927db0448b6df3279d3e2830bda0eb95257a89e67c65a4e9c9f85329c09d

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
141KB

MD5
bf5b975d688e1e24e29e29c4326c3262

SHA1
14bdac7e2f6f29506b6f4272e9d7e8568cecb6e2

SHA256
e30e257950caf8ba206b20da6a9d07d190255c3a8821203c76e658a3668165f5

SHA512
631ad0f750f6c5f5a95c9c4b68c9e06464b12218943646497d0aa58c87db842ba2b378c03bf78f8d82336f08b32be50bcca7d339d794ee4f48cd3a0f2f5824a4

Download Submit
memory/1312-37-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4172-35-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4172-31-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4172-29-0x0000000000530000-0x0000000000544000-memory.dmp

Filesize
80KB

Download
memory/4172-30-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4692-6-0x00000000051C0000-0x0000000005236000-memory.dmp

Filesize
472KB

Download
memory/4692-5-0x0000000004CF0000-0x0000000004D04000-memory.dmp

Filesize
80KB

Download
memory/4692-1-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4692-2-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4692-13-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4692-3-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4692-4-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/4692-7-0x00000000051A0000-0x00000000051BE000-memory.dmp

Filesize
120KB

Download
memory/4692-0-0x0000000000200000-0x00000000003E4000-memory.dmp

Filesize
1.9MB

Download
memory/5036-12-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/5036-32-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/5036-28-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/5036-9-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/5036-17-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/5036-16-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads