mylobot | 382e891853d6e7cc04ad6c569b64b2d6ef09d2b07740e15282708b322c3a2a6c

General

Target

5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
Size

261KB
MD5

e381028b496c601a9e0024d3a10b8d0e
SHA1

bc28c3e44f65bec3e9fc0e3112027a9ade6969c6
SHA256

382e891853d6e7cc04ad6c569b64b2d6ef09d2b07740e15282708b322c3a2a6c
SHA512

7c90bcd7a136288e9ecd819e87a857009ca5802e0a0e9aff034cdb1ea7c23688dbc0ed074fa2e9dc7cf9ddabc9bc3fdd935e97e08665cdaf3bc0695d919fbe3b
SSDEEP

6144:0eBlISBwLaYlW8n0WkmpTKLCldp47wifieoajIOi1Ab:DB/eLXlW8n1ZKOLdUn4A

Score

10^/10

mylobot botnet persistence

Malware Config

Extracted

Family

mylobot

C2

eakalra.ru:1281

op17.ru:6006

ashfkwu.ru:9821

pomplus.ru:7372

fasefja.ru:3410

hpifnad.ru:3721

benkofx.ru:3333

fpzskbx.ru:9364

ouxtjzd.ru:8658

schwpxp.ru:2956

pspkgya.ru:2675

lmlwtdm.ru:2768

rzwnsph.ru:5898

awtiwzk.ru:9816

pzljenb.ru:3486

yhjtpyf.ru:3565

ogkbsoq.ru:2553

rjngcbj.ru:5655

jlfeopz.ru:4698

wqcruiz.ru:2165

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

3472 svchost.exe

pid	process
3472	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2A699EAE-6C50-8D04-AB7A-0E47D486BCDD} = "c:\\programdata\\{B679B69E-4460-1114-AB7A-0E47D486BCDD}\\1bc66601.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe

description	pid	process	target process
PID 4432 set thread context of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe

Modifies registry class 3 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{EC5C9163-639D-4B31-AB7A-0E47D486BCDD}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{B679B69D-4463-1114-AB7A-0E47D486BCDD}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{B679B69D-4463-1114-AB7A-0E47D486BCDD}\ = "1711012153"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exesvchost.exe

pid	process
4248	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
4248	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
3472	svchost.exe
3472	svchost.exe
3472	svchost.exe
3472	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe

pid process

4248 5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exesvchost.exe

description	pid	process	target process
PID 4432 wrote to memory of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 4432 wrote to memory of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 4432 wrote to memory of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 4432 wrote to memory of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 4432 wrote to memory of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 4432 wrote to memory of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 4432 wrote to memory of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 4432 wrote to memory of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 4432 wrote to memory of 4248	4432	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 4248 wrote to memory of 3472	4248	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	svchost.exe
PID 4248 wrote to memory of 3472	4248	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	svchost.exe
PID 4248 wrote to memory of 3472	4248	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	svchost.exe
PID 4248 wrote to memory of 3472	4248	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe	svchost.exe
PID 3472 wrote to memory of 4432	3472	svchost.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 3472 wrote to memory of 4432	3472	svchost.exe	5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
PID 3472 wrote to memory of 4428	3472	svchost.exe	notepad.exe
PID 3472 wrote to memory of 4428	3472	svchost.exe	notepad.exe
PID 3472 wrote to memory of 4428	3472	svchost.exe	notepad.exe
PID 3472 wrote to memory of 4428	3472	svchost.exe	notepad.exe
PID 3472 wrote to memory of 4428	3472	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
"C:\Users\Admin\AppData\Local\Temp\5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe
"C:\Users\Admin\AppData\Local\Temp\5ea9a3af-d9c3-dcd1-bf0c-a770fb454f51.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Deletes itself
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
4⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:3216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{B679B69E-4460-1114-AB7A-0E47D486BCDD}\1bc66601.exe
Filesize
261KB

MD5
e381028b496c601a9e0024d3a10b8d0e

SHA1
bc28c3e44f65bec3e9fc0e3112027a9ade6969c6

SHA256
382e891853d6e7cc04ad6c569b64b2d6ef09d2b07740e15282708b322c3a2a6c

SHA512
7c90bcd7a136288e9ecd819e87a857009ca5802e0a0e9aff034cdb1ea7c23688dbc0ed074fa2e9dc7cf9ddabc9bc3fdd935e97e08665cdaf3bc0695d919fbe3b

Download Submit
memory/3472-12-0x0000000000720000-0x000000000074C000-memory.dmp

Filesize
176KB

Download
memory/3472-5-0x0000000000720000-0x000000000074C000-memory.dmp

Filesize
176KB

Download
memory/3472-10-0x0000000000720000-0x000000000074C000-memory.dmp

Filesize
176KB

Download
memory/3472-19-0x0000000000720000-0x000000000074C000-memory.dmp

Filesize
176KB

Download
memory/3472-9-0x0000000000720000-0x000000000074C000-memory.dmp

Filesize
176KB

Download
memory/3472-6-0x0000000000720000-0x000000000074C000-memory.dmp

Filesize
176KB

Download
memory/3472-7-0x0000000000720000-0x000000000074C000-memory.dmp

Filesize
176KB

Download
memory/3472-16-0x0000000000720000-0x000000000074C000-memory.dmp

Filesize
176KB

Download
memory/3472-8-0x0000000000720000-0x000000000074C000-memory.dmp

Filesize
176KB

Download
memory/4248-2-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4248-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4248-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4248-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4248-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4428-17-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4432-0-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/4432-11-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads