loaderbot | 0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6

General

Target

$1/1337/MinerMega.exe
Size

4.0MB
MD5

d1f8ccf271359d1d1840075b3065cdaa
SHA1

5b316201fb5d9705e20398ded7d0441962e2b183
SHA256

5817eb190e2adfb6b1a8488df5e83cda619969a4ea5cccca282a348ef35d09ad
SHA512

5fb53f967b940f76b9c98d09773bea69c6ccbfd2469b9eb64868042f2ee56860d8a000b469ce941a2241adbe261ace43273c9a6cef9821ff6eabeb8f63b81e07
SSDEEP

49152:ENDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:SzP88fBsnZTgOtqB3m1RC3

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables built or packed with MPress PE compressor 24 IoCs

Processes:

resource	yara_rule
behavioral6/memory/4072-1-0x00000000006C0000-0x0000000000ABE000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress
behavioral6/memory/1432-16-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/1432-18-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress
behavioral6/memory/2728-22-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/2728-28-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress
behavioral6/memory/1300-36-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/1300-41-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/1300-42-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/1300-43-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-50-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-55-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-56-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-57-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-60-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-63-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-64-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-65-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-66-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral6/memory/4652-67-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress

LoaderBot executable 1 IoCs

Processes:

resource	yara_rule
behavioral6/memory/4072-1-0x00000000006C0000-0x0000000000ABE000-memory.dmp	loaderbot

XMRig Miner payload 17 IoCs

miner

Processes:

resource	yara_rule
behavioral6/memory/1432-18-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/2728-22-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/2728-28-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/1300-36-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/1300-41-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/1300-42-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/1300-43-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-50-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-55-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-56-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-57-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-60-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-63-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-64-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-65-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-66-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4652-67-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MinerMega.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	MinerMega.exe

Drops startup file 1 IoCs

Processes:

MinerMega.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url MinerMega.exe
Executes dropped EXE 4 IoCs

Processes:

Driver.exeDriver.exeDriver.exeDriver.exe

pid process

1432 Driver.exe
2728 Driver.exe
1300 Driver.exe
4652 Driver.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	MinerMega.exe

pid	process
1432	Driver.exe
2728	Driver.exe
1300	Driver.exe
4652	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MinerMega.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerMega.exe"	MinerMega.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MinerMega.exe

pid	process
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe
4072	MinerMega.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

MinerMega.exe

pid process

4072 MinerMega.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

MinerMega.exeDriver.exeDriver.exeDriver.exeDriver.exe

description	pid	process
Token: SeDebugPrivilege	4072	MinerMega.exe
Token: SeLockMemoryPrivilege	1432	Driver.exe
Token: SeLockMemoryPrivilege	1432	Driver.exe
Token: SeLockMemoryPrivilege	2728	Driver.exe
Token: SeLockMemoryPrivilege	2728	Driver.exe
Token: SeLockMemoryPrivilege	1300	Driver.exe
Token: SeLockMemoryPrivilege	1300	Driver.exe
Token: SeLockMemoryPrivilege	4652	Driver.exe
Token: SeLockMemoryPrivilege	4652	Driver.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

MinerMega.exe

description	pid	process	target process
PID 4072 wrote to memory of 1432	4072	MinerMega.exe	Driver.exe
PID 4072 wrote to memory of 1432	4072	MinerMega.exe	Driver.exe
PID 4072 wrote to memory of 2728	4072	MinerMega.exe	Driver.exe
PID 4072 wrote to memory of 2728	4072	MinerMega.exe	Driver.exe
PID 4072 wrote to memory of 1300	4072	MinerMega.exe	Driver.exe
PID 4072 wrote to memory of 1300	4072	MinerMega.exe	Driver.exe
PID 4072 wrote to memory of 4652	4072	MinerMega.exe	Driver.exe
PID 4072 wrote to memory of 4652	4072	MinerMega.exe	Driver.exe

C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
1.8MB

MD5
29b14eb2f8b1aa57bf54a4e4ae1d00f2

SHA1
be7588cda04c7550a9dc37e2cdb26aedc4527c88

SHA256
1d389b1f0fe60e781d8fe6d60bba03f34360612f784e02195f27d92cea181b2f

SHA512
2071a6e6a2a7f89beeed46708042a01396b1d03089c9cbcf3402e3020d3ecc5a83483abfcdd9e6ce7b53fb2210395317e189a4f98120bef62d6f963faf9b5973

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
1.3MB

MD5
4abdf1a0212a622b9cbdbd3cb77bbf21

SHA1
9bc45f66dfabba277f0d7b7e028d8cfb2fce8d37

SHA256
4b76dd1361374f91a48bcc0b83f371dca0efc67d184066a6ea99667c5ad2bad0

SHA512
fc1bd6c53f051e06e2336e93158e6e2119f5b1190e82f7dc340f839f02b9312a26a27c45bb3239f2ccd222903c51a3a454303726a0c9ef1a81645c0dfc183806

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
1.2MB

MD5
0147e65272935daf6068f7fb4bff96a2

SHA1
323d0f0e9d9806040086f1b018d1fd8947617100

SHA256
1ac4c3803c39b34334a599eaeef75b8ecb1331da3d7331d6f022b97a4a2a8ee6

SHA512
6317520b0173f5873d7e771d6b73751a291aa8b08408dc1102455c6241c43e84f3042bf07ba83f83807a4c66f7bc5051809bf1f5c9b0a600ba0161fbfb0a100a

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
2.5MB

MD5
a78497c166cca38f3f8ea2f4e22b7d0e

SHA1
c3d2fc08fd8a5886397c86248f185ac5c33bbb20

SHA256
c68660cc05113b261a5474730a253916e2d8e7bf1ec02f6231a00ce3b3c27e6e

SHA512
df603f69ceeb0259d6b85819cb8f2e36b9bd48bf844cc2a9a251c831af321c9e9e8dada9eb9dca478d105a2386a9b9cee3e1e8093455c624d2fd50cc041741b7

Download Submit
memory/1300-40-0x00000000137F0000-0x0000000013810000-memory.dmp

Filesize
128KB

Download
memory/1300-47-0x00000000137F0000-0x0000000013810000-memory.dmp

Filesize
128KB

Download
memory/1300-36-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1300-38-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/1300-37-0x0000000002120000-0x0000000002140000-memory.dmp

Filesize
128KB

Download
memory/1300-46-0x00000000134C0000-0x00000000134E0000-memory.dmp

Filesize
128KB

Download
memory/1300-45-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/1300-43-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1300-42-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1300-41-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1300-44-0x0000000002120000-0x0000000002140000-memory.dmp

Filesize
128KB

Download
memory/1300-39-0x00000000134C0000-0x00000000134E0000-memory.dmp

Filesize
128KB

Download
memory/1432-18-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1432-17-0x0000000001FE0000-0x0000000001FF4000-memory.dmp

Filesize
80KB

Download
memory/1432-16-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2728-23-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/2728-26-0x00000000134C0000-0x00000000134E0000-memory.dmp

Filesize
128KB

Download
memory/2728-29-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/2728-21-0x0000000000480000-0x00000000004A0000-memory.dmp

Filesize
128KB

Download
memory/2728-32-0x00000000137F0000-0x0000000013810000-memory.dmp

Filesize
128KB

Download
memory/2728-30-0x0000000013190000-0x00000000131B0000-memory.dmp

Filesize
128KB

Download
memory/2728-28-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2728-27-0x00000000137F0000-0x0000000013810000-memory.dmp

Filesize
128KB

Download
memory/2728-22-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2728-31-0x00000000134C0000-0x00000000134E0000-memory.dmp

Filesize
128KB

Download
memory/2728-24-0x0000000013190000-0x00000000131B0000-memory.dmp

Filesize
128KB

Download
memory/4072-0-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4072-25-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4072-34-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4072-5-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4072-4-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/4072-1-0x00000000006C0000-0x0000000000ABE000-memory.dmp

Filesize
4.0MB

Download
memory/4652-50-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4652-51-0x0000000002100000-0x0000000002120000-memory.dmp

Filesize
128KB

Download
memory/4652-52-0x0000000002120000-0x0000000002140000-memory.dmp

Filesize
128KB

Download
memory/4652-53-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4652-54-0x0000000002160000-0x0000000002180000-memory.dmp

Filesize
128KB

Download
memory/4652-55-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4652-56-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4652-57-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4652-58-0x0000000002100000-0x0000000002120000-memory.dmp

Filesize
128KB

Download
memory/4652-59-0x0000000002120000-0x0000000002140000-memory.dmp

Filesize
128KB

Download
memory/4652-60-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4652-61-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4652-62-0x0000000002160000-0x0000000002180000-memory.dmp

Filesize
128KB

Download
memory/4652-63-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4652-64-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4652-65-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4652-66-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4652-67-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads