Overview

overview

10

Static

static

3

2025-04-03...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-03_e4fe1cda1b965c4200e53953007721a6_black-basta_cobalt-strike_luca-stealer.exe

  • Size

    784KB

  • MD5

    e4fe1cda1b965c4200e53953007721a6

  • SHA1

    e47cc08535efa0e3b38a518c44f827389699c6c9

  • SHA256

    8f460857b46f1247edac09f59cc4b1535138ef2d4c191f3c923c93c3833fa46d

  • SHA512

    26b783b145d1b300c37d12e39a037150ee5f29921344e90be154a73459f77badd6962a8c5701589160a714e01a59807efc04d97d1843de3e9402f031e604b6d0

  • SSDEEP

    24576:S1818EiYTmpVJUOZ1818EiYTmpVJUOZ1L:bTmpVJUOyTmpVJUOP

Score
10/10
mylobotbotnetdiscoverypersistence

Malware Config

Extracted

Family

mylobot

C2

onthestage.ru:6521

krebson.ru:4685

stanislasarnoud.ru:5739

Signatures

  • Mylobot

    Botnet which first appeared in 2017 written in C++.

    botnetmylobot
  • Mylobot family
    mylobot
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-03_e4fe1cda1b965c4200e53953007721a6_black-basta_cobalt-strike_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-03_e4fe1cda1b965c4200e53953007721a6_black-basta_cobalt-strike_luca-stealer.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\2025-04-03_e4fe1cda1b965c4200e53953007721a6_black-basta_cobalt-strike_luca-stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-04-03_e4fe1cda1b965c4200e53953007721a6_black-basta_cobalt-strike_luca-stealer.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe
        "C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe
          "C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5576
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3336
            • C:\Windows\SysWOW64\notepad.exe
              "C:\Windows\system32\notepad.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4416
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5764
    • C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe
      C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5504
      • C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe
        C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe
        3⤵
        • Executes dropped EXE
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\seuxbuxr\uqfubxut.exe
    Filesize

    784KB

    MD5

    e4fe1cda1b965c4200e53953007721a6

    SHA1

    e47cc08535efa0e3b38a518c44f827389699c6c9

    SHA256

    8f460857b46f1247edac09f59cc4b1535138ef2d4c191f3c923c93c3833fa46d

    SHA512

    26b783b145d1b300c37d12e39a037150ee5f29921344e90be154a73459f77badd6962a8c5701589160a714e01a59807efc04d97d1843de3e9402f031e604b6d0

    Download Submit

  • memory/2220-0-0x00000000004A0000-0x00000000004A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3336-37-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3336-24-0x0000000001050000-0x0000000001051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3336-59-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3336-35-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3336-36-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3336-39-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3336-20-0x0000000000A50000-0x0000000000A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3336-29-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3336-28-0x0000000000A50000-0x0000000000A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3336-21-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3336-33-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3336-22-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3336-19-0x0000000000A50000-0x0000000000A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3336-31-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4416-48-0x0000000004240000-0x0000000004241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4416-52-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4896-13-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-41-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4992-4-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4992-1-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4992-3-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4992-5-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5576-18-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download