loaderbot | b1ccda9f7ba76b222d9387f6ee8cbbd3222af3dc3723a247c6e80cb0a5626676 | Triage

Sharing

General

Target

b1ccda9f7ba76b222d9387f6ee8cbbd3222af3dc3723a247c6e80cb0a5626676
Size

3.2MB
Sample

240807-yazf6ssglj
MD5

ecf0a7dfe54de2c55c42b8c8c34f4a3f
SHA1

393d36cd7cf9536ebc8abe26c51553c57eb4e38c
SHA256

b1ccda9f7ba76b222d9387f6ee8cbbd3222af3dc3723a247c6e80cb0a5626676
SHA512

4e51da10f9c75b20776aba885c863d622b4eee8b1c023e909151ed893b1f78812b1aaa1c26c10a3050f8aaccfe148dd9bcc27100e27f9f34eedc5c581573c7db
SSDEEP

49152:3EF4FiPD6m4ivio49aPVYYZJbEU5Jn0KRYElP1Dn9S/FPc63qZ1sRrT:EairJ

Score

10^/10

loaderbot defense_evasion discovery loader miner persistence

Malware Config

Targets

- Target
  
  b1ccda9f7ba76b222d9387f6ee8cbbd3222af3dc3723a247c6e80cb0a5626676
- Size
  
  3.2MB
- MD5
  
  ecf0a7dfe54de2c55c42b8c8c34f4a3f
- SHA1
  
  393d36cd7cf9536ebc8abe26c51553c57eb4e38c
- SHA256
  
  b1ccda9f7ba76b222d9387f6ee8cbbd3222af3dc3723a247c6e80cb0a5626676
- SHA512
  
  4e51da10f9c75b20776aba885c863d622b4eee8b1c023e909151ed893b1f78812b1aaa1c26c10a3050f8aaccfe148dd9bcc27100e27f9f34eedc5c581573c7db
- SSDEEP
  
  49152:3EF4FiPD6m4ivio49aPVYYZJbEU5Jn0KRYElP1Dn9S/FPc63qZ1sRrT:EairJ
Score

10^/10

loaderbot defense_evasion discovery loader miner persistence
- LoaderBot
  LoaderBot is a loader written in .NET downloading and executing miners.
  loader miner loaderbot
- Suspicious use of NtCreateUserProcessOtherParentProcess
- LoaderBot executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

loaderbotdefense_evasiondiscoveryloaderminerpersistence

behavioral2

loaderbotdefense_evasiondiscoveryloaderminerpersistence