mylobot

General

Target

Evidncias.7z
Size

189KB
Sample

250217-t73gwa1pz4
MD5

0681bc686cb1076ef8062b1f91ae617f
SHA1

851f15f874a80542daaf2d80db9f0ca8c9064ff4
SHA256

d6302cd145ef24ce77f2120bbfa3a0294c4e2b06c7952ae8ccc4f5619a4ca827
SHA512

aeb244249bdbf06004edd029d8edea61bfb522cb50785a65f3b892f2b87e10d35fa312a9ec84f6356021dbfc3f8a6036fc68ffe1c02cbe77d0a8cd1bed8d68e5
SSDEEP

3072:YTe1+1vdXu0c6MNduQTwoB9ETjKmu/eUN1bYUckQOVGSyH51n337NBCOr4wJkKoY:Yi+1vfc6MNduDoB9OKmuhU8fyH51n33h

Score

10^/10

Malware Config

Extracted

Family

mylobot

C2

eakalra.ru:1281

op17.ru:6006

ashfkwu.ru:9821

pomplus.ru:7372

fasefja.ru:3410

hpifnad.ru:3721

benkofx.ru:3333

fpzskbx.ru:9364

ouxtjzd.ru:8658

schwpxp.ru:2956

pspkgya.ru:2675

lmlwtdm.ru:2768

rzwnsph.ru:5898

awtiwzk.ru:9816

pzljenb.ru:3486

yhjtpyf.ru:3565

ogkbsoq.ru:2553

rjngcbj.ru:5655

jlfeopz.ru:4698

wqcruiz.ru:2165

Targets

- Target
  
  {62AD28B8-452C-7E36-3CCD-F2C44CD4FE54}/cf12f827.exe
- Size
  
  261KB
- MD5
  
  0cdd785ee2b4329f57811dab3169a470
- SHA1
  
  5476f971739050607694e101668263c784292204
- SHA256
  
  541ee62fd7aec363434040e58ff3216e45c4252bf1a51160f787ee6afde574c7
- SHA512
  
  c95ad7e5eb82d8003fc1789b01c4948d6b7688cd565aa58a352e103a466bdeb7c4943cf6fd5a6d560d2bb32717764fc25ddbd2cc1701ae77eb49eb3e40b7294a
- SSDEEP
  
  6144:wWEPhXngDPlCh76Nz8q3hF5cijiObEAE6d2FZNJydRM:ingD8hk3dcijboApaZ8+
Score

10^/10

mylobot botnet discovery persistence adware privilege_escalation stealer
- Mylobot
  Botnet which first appeared in 2017 written in C++.
  botnet mylobot
- Mylobot family
  mylobot
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Deletes itself
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  {62AD28B8-452C-7E36-8924-61F4F93D6D64}/cf12f827.exe
- Size
  
  261KB
- MD5
  
  0cdd785ee2b4329f57811dab3169a470
- SHA1
  
  5476f971739050607694e101668263c784292204
- SHA256
  
  541ee62fd7aec363434040e58ff3216e45c4252bf1a51160f787ee6afde574c7
- SHA512
  
  c95ad7e5eb82d8003fc1789b01c4948d6b7688cd565aa58a352e103a466bdeb7c4943cf6fd5a6d560d2bb32717764fc25ddbd2cc1701ae77eb49eb3e40b7294a
- SSDEEP
  
  6144:wWEPhXngDPlCh76Nz8q3hF5cijiObEAE6d2FZNJydRM:ingD8hk3dcijboApaZ8+
Score

10^/10

mylobot botnet discovery persistence
- Mylobot
  Botnet which first appeared in 2017 written in C++.
  botnet mylobot
- Mylobot family
  mylobot
- Downloads MZ/PE file
- Deletes itself
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4