aresloader | 3d5f7b3325f260dc291e2b1c24c54818d2edcde5527ef31168016ae9aad25fc6

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dogecoin-1.14.9-win32/daemon/dogecoind.exe
Size

10.8MB
MD5

bd105bf449a53559a1f03bc3cee01201
SHA1

beb01382e4f15f3ba0073816dcefdec05206bf6a
SHA256

a2ea0f21d7b418869651c791d8973c983cca3964aee225d03fbf9d72a2a18b31
SHA512

8d8605bfa802ea1bc491e1a9a63b7d01ac73f45b9e29777aacdc0d82fa85d7a6100b53b3ab6fe83c110444ef7e391e6f9b502b3c2f78da96918156b93135a060
SSDEEP

196608:6rGbOYFXKiN8lytROoQIv+vaMiYYkO1KNT7muZemqBFrKUr8920vqb8i9lpmP5sM:f1XKAQ8CzKuZenbZLbXuHSb4AjbfMkpq

Score

10^/10

aresloader discovery loader

Malware Config

Extracted

Family

aresloader

http://127.0.0.1:22555

Signatures

AresLoader
AresLoader is a loader and downloader written in C++.
loader aresloader
Aresloader family
aresloader

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dogecoind.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dogecoind.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dogecoind.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe
1800	dogecoind.exe

C:\Users\Admin\AppData\Local\Temp\dogecoin-1.14.9-win32\daemon\dogecoind.exe
"C:\Users\Admin\AppData\Local\Temp\dogecoin-1.14.9-win32\daemon\dogecoind.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Dogecoin\blocks\blk00000.dat

Filesize
16.0MB

MD5
0655a777c0e7fced17e04569506a1055

SHA1
51e3325e2f0b9989508e0a04234c79509ef23acb

SHA256
1edffbe81ea8943814b5193ea15a6abaeb67360a9a1e441e31dcf8760c60bc1e

SHA512
6547936b2fc9ba77d8b2a444ce9b39738e0e82710e9b579dd4bd026d81bc7a82bf282c7ed69202fe34773d0b513697254277f3b5fa8912c0cd7110107bfc4c36

Download Submit
C:\Users\Admin\AppData\Roaming\Dogecoin\blocks\index\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\Dogecoin\blocks\index\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Dogecoin\blocks\rev00000.dat

Filesize
1024KB

MD5
3938f3001762aee4ecca99eadf746dd7

SHA1
10e557e85ad182d350ef560a3395f5a0b8de8c73

SHA256
d2bf3dd2ef9999c65394cc7ad7a09bf16bb7e9174e1b11fdccd21285d21c23be

SHA512
9154090e2e8b8bdbc582b773720f58f495d444471590f0da14353cbcb49aa1bc6d736b3a0f902a003feed6373a8e7f22c5ce1ddccea5399db6ed3c15feec448b

Download Submit
C:\Users\Admin\AppData\Roaming\Dogecoin\blocks\rev00000.dat

Filesize
1024KB

MD5
8c60df7143fe8b664b17154bcb163c2d

SHA1
c6aafde6a9783f385bf740f64dffc9e19620634c

SHA256
cf43e41c7a5709cf5b8f499e8e358965892bd8ac5d037fa4cc2768fda4553b1b

SHA512
0a4f87acc23b9fcc23ba72704b11f30d3885df441f70538b1e72798189961e6c8e2b14357f28916464b574fb579eedb6b6dfd0a4905d91ce7e49e8bc061c664a

Download Submit
C:\Users\Admin\AppData\Roaming\Dogecoin\blocks\rev00000.dat

Filesize
1024KB

MD5
928dadf5f47d70ddacf680c2a0b5d72a

SHA1
74bbfe46839bb0d9b5c257b6eb6964b6931de1a0

SHA256
78c75c2ee889c84a2bd2dbfc0fe2527d982c00e9d69574ff436c84a44f367f4e

SHA512
c5b0175ee92cf536a0999f4755bb4ad06dd55d8b95c4c2ab90d3b31e3824c1d01bc84c9142f287597dfd4dd86693adf23057f30595cdaddcfefceb6c2f6c0486

Download Submit
C:\Users\Admin\AppData\Roaming\Dogecoin\blocks\rev00000.dat

Filesize
1024KB

MD5
c51e119e9b3de39afcec1295e36f8143

SHA1
2714f5ae5035d30a829d2e1b8101c9f9ff55e1b5

SHA256
cf8e1055f5b20373c5be84bef57735e32ccdfe80475c72786c37805e3c6eb504

SHA512
992e87cb009ea3fb66fd392e794a71bd6f9986c610eae839d5c1441bdedcbdb880ec271f69d7505e2bd223e0e1e361dd8d29779c13848e19a3a86fe09466cc9b

Download Submit
C:\Users\Admin\AppData\Roaming\Dogecoin\blocks\rev00000.dat

Filesize
1024KB

MD5
94f0233f5e5541a8933daf1a1e94d4e8

SHA1
732eb816fc8582190611097acb69dde6175f9270

SHA256
81ae9ed2abe8fade24e708b6e0f36043c246693f7dc956dc4ef141264f42b8ed

SHA512
da71e789483764a51c1544fe6ea5c239a99a5182b55706e8d17f78ebadf51bcb0f29e1d628a4f1002941665860426a639e4c88f59f6b45cd0144409217fac007

Download Submit
C:\Users\Admin\AppData\Roaming\Dogecoin\database\log.0000000001

Filesize
1024KB

MD5
e2dff449a287c23512c2f2a1171285cb

SHA1
a288099ba3fd402d7f6543edc299f6d31f370e62

SHA256
37eb88ec177a04ce9c4d695beec5d73b5f337d6830fd9e9521708db3e521d6b8

SHA512
0f3e45f6c6636c08340c861008f1b62a041d250b29fec09ce1f0243ce8556f4b7df403c1fc9a0f86833bcb9fbb514e81b16b726b36cf3ca1e10a9dd17a533989

Download Submit
memory/1800-269-0x0000000000040000-0x0000000000B26000-memory.dmp

Filesize
10.9MB

Download
memory/1800-268-0x0000000000040000-0x0000000000B26000-memory.dmp

Filesize
10.9MB

Download
memory/1800-398-0x0000000000040000-0x0000000000B26000-memory.dmp

Filesize
10.9MB

Download
memory/1800-260-0x0000000000040000-0x0000000000B26000-memory.dmp

Filesize
10.9MB

Download
memory/1800-559-0x0000000000040000-0x0000000000B26000-memory.dmp

Filesize
10.9MB

Download
memory/1800-560-0x0000000000040000-0x0000000000B26000-memory.dmp

Filesize
10.9MB

Download
memory/1800-561-0x0000000000040000-0x0000000000B26000-memory.dmp

Filesize
10.9MB

Download
memory/1800-562-0x0000000000040000-0x0000000000B26000-memory.dmp

Filesize
10.9MB

Download
memory/1800-563-0x0000000000040000-0x0000000000B26000-memory.dmp

Filesize
10.9MB

Download