mylobot | 7dc34acf3cf4a41af8284ab263ea729c0e539db9c2539e6d6643d063b2b2d302

General

Target

3e965a35b69836129f1d4d30b3c4117f.exe
Size

340KB
MD5

3e965a35b69836129f1d4d30b3c4117f
SHA1

2a5a3a03d653442f58d3c403b7b57c9296087cfa
SHA256

7dc34acf3cf4a41af8284ab263ea729c0e539db9c2539e6d6643d063b2b2d302
SHA512

cd3ae3dc6cef62cb7079852a9e9ac8f2bf64ade3c3fa4dd2e0b7c086ab0a3a4054d313e249a0d180d6ef2817e376cd05155f6194901d6ab3146899bb42862c7f
SSDEEP

3072:pmjTKNQnR0r8FIwQBNjXnAg0FuGksquMo3PHlzPX4XeOE6kl29vxCFb14tGKbu2z:pATKsRk8g5nAOraFaJEh2DWqG8U

Score

10^/10

mylobot botnet persistence

Malware Config

Extracted

Family

mylobot

C2

op17.ru:6006

eakalra.ru:1281

zgclgdb.ru:8518

hpifnad.ru:3721

lbjcwix.ru:8326

rykacfb.ru:8483

benkofx.ru:3333

fpzskbc.ru:9364

ouxtjzd.ru:8658

schwpxp.ru:2956

pspkgya.ru:2675

lmlwtdm.ru:2768

rzwnsph.ru:5898

awtiwzk.ru:9816

pzljenb.ru:3486

yhjtpyf.ru:3565

ogkbsoq.ru:2553

rjngcbj.ru:5655

jlfeopz.ru:4698

wqcruiz.ru:2165

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{4A335AAA-7971-28EF-73CB-321032C9B3AF} = "c:\\programdata\\{D623729A-5141-B4FF-73CB-321032C9B3AF}\\7b9ca205.exe"	svchost.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

3e965a35b69836129f1d4d30b3c4117f.exe

description	pid	process	target process
PID 2548 set thread context of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 set thread context of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 set thread context of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 set thread context of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 set thread context of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 set thread context of 3088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 set thread context of 628	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 set thread context of 1088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 set thread context of 3736	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3e965a35b69836129f1d4d30b3c4117f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	3e965a35b69836129f1d4d30b3c4117f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	3e965a35b69836129f1d4d30b3c4117f.exe

Modifies registry class 3 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{D6237299-5142-B4FF-73CB-321032C9B3AF}\ = "1704288025"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{8C065567-76BC-EEDA-73CB-321032C9B3AF}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{D6237299-5142-B4FF-73CB-321032C9B3AF}	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3e965a35b69836129f1d4d30b3c4117f.exesvchost.exe

pid process

208 3e965a35b69836129f1d4d30b3c4117f.exe
208 3e965a35b69836129f1d4d30b3c4117f.exe
4308 svchost.exe
4308 svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3e965a35b69836129f1d4d30b3c4117f.exe

pid process

208 3e965a35b69836129f1d4d30b3c4117f.exe

pid	process
208	3e965a35b69836129f1d4d30b3c4117f.exe
208	3e965a35b69836129f1d4d30b3c4117f.exe
4308	svchost.exe
4308	svchost.exe

pid	process
208	3e965a35b69836129f1d4d30b3c4117f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e965a35b69836129f1d4d30b3c4117f.exe

C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
"C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  PID:3088
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  PID:3784
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:208
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4308
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  PID:1260
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe
  "C:\Users\Admin\AppData\Local\Temp\3e965a35b69836129f1d4d30b3c4117f.exe"
  2⤵
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{D623729A-5141-B4FF-73CB-321032C9B3AF}\7b9ca205.exe

Filesize
340KB

MD5
3e965a35b69836129f1d4d30b3c4117f

SHA1
2a5a3a03d653442f58d3c403b7b57c9296087cfa

SHA256
7dc34acf3cf4a41af8284ab263ea729c0e539db9c2539e6d6643d063b2b2d302

SHA512
cd3ae3dc6cef62cb7079852a9e9ac8f2bf64ade3c3fa4dd2e0b7c086ab0a3a4054d313e249a0d180d6ef2817e376cd05155f6194901d6ab3146899bb42862c7f

Download Submit
memory/208-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/208-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/208-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/208-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1260-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2548-10-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/2548-3-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/2548-2-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/2548-0-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/3736-23-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3736-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3736-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4308-18-0x0000000001200000-0x000000000122B000-memory.dmp

Filesize
172KB

Download
memory/4308-24-0x0000000001200000-0x000000000122B000-memory.dmp

Filesize
172KB

Download
memory/4308-22-0x0000000001200000-0x000000000122B000-memory.dmp

Filesize
172KB

Download
memory/4308-21-0x0000000001200000-0x000000000122B000-memory.dmp

Filesize
172KB

Download
memory/4308-20-0x0000000001200000-0x000000000122B000-memory.dmp

Filesize
172KB

Download
memory/4308-19-0x0000000001200000-0x000000000122B000-memory.dmp

Filesize
172KB

Download
memory/4308-17-0x0000000001200000-0x000000000122B000-memory.dmp

Filesize
172KB

Download

description	pid	process	target process
PID 2548 wrote to memory of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3736	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3736	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3736	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 628	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 628	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 628	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 1260	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 208	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4792	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4792	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4792	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3784	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 2432	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 4932	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe
PID 2548 wrote to memory of 3088	2548	3e965a35b69836129f1d4d30b3c4117f.exe	3e965a35b69836129f1d4d30b3c4117f.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads