{
	"id": "2e851b0f-d744-49a8-8706-61ff20b51f58",
	"created_at": "2026-04-06T00:17:52.63583Z",
	"updated_at": "2026-04-10T03:20:24.766334Z",
	"deleted_at": null,
	"sha1_hash": "ae7ec7e48d524a7e6144841adbb1b786e2a0c65d",
	"title": "NewBot Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 780862,
	"plain_text": "NewBot Loader\r\nBy Jason Reaves\r\nPublished: 2024-03-12 · Archived: 2026-04-05 16:10:05 UTC\r\nBy: Jason Reaves and Joshua Platt\r\nAnother day another new loader. During our research lately, we have discovered several new malware loaders that\r\nappear to be targeting corporate and enterprise environments.\r\nThis one calls itself NewBot Loader:\r\nThe loader is slightly obfuscated but some strings can still be seen giving a bit of insight into the capabilities.\r\n\u003cCloseShell\u003eb__0\r\n\u003cOpenShell\u003eb__0\r\n\u003cGetShell\u003eb__0\r\n\u003cGetInstalledEdr\u003eb__0\r\n\u003cGetBytes\u003eb__0\r\n\u003cInject\u003eb__0\r\n\u003cExecuteStrategy\u003eb__0\r\npDOMAIN_CONTROLLER_INFO\r\ndownload\r\nUpload\r\nOverload\r\nget_Payload\r\nset_Payload\r\nset_MachineName\r\nget_DomainControllerSiteName\r\nget_DomainControllerName\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 1 of 11\n\nget_UserName\r\nget_ComputerName\r\nget_DomainControllerForestName\r\nget_CommandType\r\nget_InstalledAntiMalware\r\nset_UseShellExecute\r\nThe rest of the strings are loaded as single bytes:\r\nWe can recover them pretty easily though by hexlifying the entire binary and doing a regex:\r\n\u003e\u003e\u003e t = re.findall(r'''[a2,01]2520.{8}20..''', d)\r\n\u003e\u003e\u003e tt = [(x[-2:], x) for x in t]\r\n\u003e\u003e\u003e tt = [(chr(int(x[0],16)), x[1]) for x in tt]\r\n\u003e\u003e\u003e tt[0]\r\n('\\x00', '12520000000002000')\r\n\u003e\u003e\u003e out = \"\"\r\n\u003e\u003e\u003e for val in tt:\r\n... if val[1][0] == '1':\r\n... out += '\\n'\r\n... out += val[0]\r\n...\r\n\u003e\u003e\u003e out\r\n'\\n\\x00\\nOpening new shell...\\ncmd.exe\\n/k\\n[\\n] - \\nInfo\\nError\\n[\\n] - \\nError\\n[\\n] - \\n{0}:{1}\\nC\r\nDecoded strings are appended to end of this blog, the config is mostly based on random data and a generated\r\nGUID but finding the calls to this involve going through the control flow obfuscation that is common in .NET\r\ninvolving overloaded class methods. We are going to briefly walk through a few relevant code blocks below:\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 2 of 11\n\nTo find where this gets used we start with the below code following the built string ‘Loader started…’:\r\nThe first call Xoshiro sets up the registry key persistence via a run key. Next a new object is created which is also\r\nwhere our config is setup inside the Partner function, this object is then passed to Intx which just sets the internal\r\nFixups variable to the new object:\r\nThis gets later used and what is passed in is the C2 host and port that is also decoded from the strings:\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 3 of 11\n\nThere is also a lot of strings related to AV, EDR and analyst tools which appear to mostly come from OSINT\r\ncode[1]. These strings are loaded into a string array named Hierarchy:\r\nLater these names are retrieved in another piece of code. The manual function called just returns the previous\r\narray. Next, a few directory locations are loaded:\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 4 of 11\n\nThe loaded directories are:\r\nC:\\Program Files (x86)\r\nC:\\Program Files\r\nC:\\ProgramData\r\nThe loader will then look for any sub folder containing the strings:\r\nPress enter or click to view image in full size\r\nDecoded strings allude to encoded payload extraction. The extraction routine reads in the first 16 bytes to acquire\r\na key that will be utilized in the decoding routine. Unfortunately, we were unable to retrieve a payload at the time\r\nof our writing.\r\n using (MemoryStream memoryStream = new MemoryStream(older, 0, older.Length))\r\n {\r\n byte[] array = new byte[16];\r\n int num = memoryStream.Read(array, 0, 16);\r\n bool flag = num \u003c 16;\r\n if (flag)\r\n {\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 5 of 11\n\nthrow new Exception(string.Concat(new string[]\r\n {\r\n \"Unable to extract key from encoded payload.\"\r\n }));\r\n }\r\nDecoded strings\r\nOpening new shell...\r\ncmd.exe\r\n/k\r\n[\r\n] -\r\nInfo\r\nError\r\n[\r\n] -\r\nError\r\n[\r\n] -\r\n{0}:{1}\r\nClient {0} connecting to {1}...\r\nUnable to perform handshake.\r\nClient {0} connected to {1}...\r\nUnable to connect listener:\r\n{0} received.\r\nSending {0} callback...\r\nDisconnecting {0}...\r\nDisconnected {0}...\r\nUnable to extract key from encoded payload.\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nNewBot.Loader\r\nNewBot.Loader\r\nUnable to read x32 headers.\r\n.text\r\n.data\r\n.pdata\r\n.reloc\r\n.rsrc\r\n.rdata\r\nAllocating memory...\r\nNtAllocateVirtualMemory\r\nMemory allocation failed.\r\nAllocation ended with result {0} in {1:X}\r\nCreating thread...\r\nNtCreateThreadEx\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 6 of 11\n\nCreating thread failed.\r\nCreating thread finished with result {0} - {1}.\r\nStarting thread...\r\nNtWaitForSingleObject\r\nUnable to start thread\r\nThread finished with status {0}.\r\nWriting virtual memory...\r\nNtWriteVirtualMemory\r\nUnable to write virtual memory\r\nWriting virtual memory finished with status {0}.\r\nntdll.dll\r\nUnable to determine syscall for method:\r\nStrategy cannot be null.\r\nExecuting {0}...\r\nCommand executed.\r\n45.15.157[.]139:1337\r\nSELECT * FROM Win32_OperatingSystem\r\nCaption\r\nVersion\r\nError:\r\nUnknown\r\nUnknown\r\nSELECT * FROM Win32_ComputerSystem\r\nTotalPhysicalMemory\r\nError:\r\nHARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\r\nPROCESSOR_IDENTIFIER\r\nProcessorNameString\r\nSystem\r\nSystem Up Time\r\nC:\\Program Files (x86)\r\nC:\\Program Files\r\nC:\\ProgramData\r\nNo domain controller information found.\r\nSELECT * FROM Win32_ComputerSystem\r\nDomain\r\nError:\r\nUnknown\r\nactiveconsole\r\nADA-PreCheck\r\nahnlab\r\nanti malware\r\nanti-malware\r\nantimalware\r\nanti virus\r\nanti-virus\r\nantivirus\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 7 of 11\n\nappsense\r\nattivo networks\r\nattivonetworks\r\nauthtap\r\navast\r\navecto\r\nbitdefender\r\nblackberry\r\ncanary\r\ncarbonblack\r\ncarbon black\r\ncheck point\r\nciscoamp\r\ncisco amp\r\ncountercept\r\ncountertack\r\ncramtray\r\ncrssvc\r\ncrowdstrike\r\ncsagent\r\ncsfalcon\r\ncsshell\r\ncybereason\r\ncyclorama\r\ncylance\r\ncynet\r\ncyoptics\r\ncyupdate\r\ncyvera\r\ncyserver\r\ncytray\r\ndarktrace\r\ndeep instinct\r\ndefendpoint\r\ndefender\r\neectrl\r\nelastic\r\nendgame\r\nf-secure\r\nforcepoint\r\nfortinet\r\nfireeye\r\ngroundling\r\nGRRservic\r\nharfanglab\r\ninspector\r\nivanti\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 8 of 11\n\njuniper networks\r\nkaspersky\r\nlacuna\r\nlogrhythm\r\nmalware\r\nmalwarebytes\r\nmandiant\r\nmcafee\r\nmorphisec\r\nmsascuil\r\nmsmpeng\r\nnissrv\r\nomni\r\nomniagent\r\nosquery\r\nPalo Alto Networks\r\npgeposervice\r\npgsystemtray\r\nprivilegeguard\r\nprocwall\r\nprotectorservic\r\nqianxin\r\nqradar\r\nqualys\r\nrapid7\r\nredcloak\r\nred canary\r\nSanerNow\r\nsangfor\r\nsecureworks\r\nsecurityhealthservice\r\nsemlaunchsv\r\nsentinel\r\nsentinelone\r\nsepliveupdat\r\nsisidsservice\r\nsisipsservice\r\nsisipsutil\r\nsmcgui\r\nsnac64\r\nsomma\r\nsophos\r\nsplunk\r\nsrtsp\r\nsymantec\r\nsymcorpu\r\nsymefasi\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 9 of 11\n\nsysinternal\r\nsysmon\r\ntanium\r\ntdawork\r\ntehtris\r\nthreat\r\ntrellix\r\ntpython\r\ntrend micro\r\nuptycs\r\nvectra\r\nwatchguard\r\nwincollect\r\nwindowssensor\r\nwireshark\r\nwithsecure\r\nN/A\r\nUnable to inject empty payload.\r\nUnable to inject x86 payload.\r\n(Not supported) - Unable to inject payload to non local process.\r\nPortable Exe injection to\r\n started...\r\nPortable Exe injection completed.\r\nCreating section:\r\n...\r\nSection\r\n created.\r\nStarting relocation\r\nRelocating {0} to {1} with length: {2}...\r\nResolving imports...\r\nLoading DLL\r\nLoading injection process...\r\nInjecting payload to\r\n...\r\nCopying shellcode to memory...\r\nPayload injection finished with wait status {0}.\r\nUnable to find handler for command: {0}\r\nN/A\r\nN/A\r\nN/A\r\nN/A\r\nN/A\r\nUnable to get args from command: {0}\r\nUnable to decode shell action.\r\nUnable to get model for {0}\r\nUnable to get model for {0}\r\nUnable to get model for {0}\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 10 of 11\n\npayloadType\r\nLoader started...\r\n501a2d61bb9cdcdcbc1a77c1cf985c4d3781d60cb94380fbecac73cdbd2120baCode reuse\r\nFastBinaryJSON\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSharpEDRChecker\r\nIOCs\r\n501a2d61bb9cdcdcbc1a77c1cf985c4d3781d60cb94380fbecac73cdbd2120ba\r\n92f3fdcbeb7175d86daaab7ac7e07db4558c0933e91552f9a50420e841a47bb3\r\n45.15.157.]139:1337\r\nRegistry:\r\n\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\NewBot.Loader\r\nWMI queries:\r\nSELECT * FROM Win32_OperatingSystem\r\nSELECT * FROM Win32_ComputerSystem\r\nReferences\r\n1:https://github.com/PwnDexter/SharpEDRChecker\r\nSource: https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nhttps://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793"
	],
	"report_names": [
		"newbot-loader-81e2ba11c793"
	],
	"threat_actors": [],
	"ts_created_at": 1775434672,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae7ec7e48d524a7e6144841adbb1b786e2a0c65d.pdf",
		"text": "https://archive.orkl.eu/ae7ec7e48d524a7e6144841adbb1b786e2a0c65d.txt",
		"img": "https://archive.orkl.eu/ae7ec7e48d524a7e6144841adbb1b786e2a0c65d.jpg"
	}
}