NewBot Loader By Jason Reaves Published: 2024-03-12 · Archived: 2026-04-05 16:10:05 UTC By: Jason Reaves and Joshua Platt Another day another new loader. During our research lately, we have discovered several new malware loaders that appear to be targeting corporate and enterprise environments. This one calls itself NewBot Loader: The loader is slightly obfuscated but some strings can still be seen giving a bit of insight into the capabilities. b__0 b__0 b__0 b__0 b__0 b__0 b__0 pDOMAIN_CONTROLLER_INFO download Upload Overload get_Payload set_Payload set_MachineName get_DomainControllerSiteName get_DomainControllerName https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 1 of 11 get_UserName get_ComputerName get_DomainControllerForestName get_CommandType get_InstalledAntiMalware set_UseShellExecute The rest of the strings are loaded as single bytes: We can recover them pretty easily though by hexlifying the entire binary and doing a regex: >>> t = re.findall(r'''[a2,01]2520.{8}20..''', d) >>> tt = [(x[-2:], x) for x in t] >>> tt = [(chr(int(x[0],16)), x[1]) for x in tt] >>> tt[0] ('\x00', '12520000000002000') >>> out = "" >>> for val in tt: ... if val[1][0] == '1': ... out += '\n' ... out += val[0] ... >>> out '\n\x00\nOpening new shell...\ncmd.exe\n/k\n[\n] - \nInfo\nError\n[\n] - \nError\n[\n] - \n{0}:{1}\nC Decoded strings are appended to end of this blog, the config is mostly based on random data and a generated GUID but finding the calls to this involve going through the control flow obfuscation that is common in .NET involving overloaded class methods. We are going to briefly walk through a few relevant code blocks below: https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 2 of 11 To find where this gets used we start with the below code following the built string ‘Loader started…’: The first call Xoshiro sets up the registry key persistence via a run key. Next a new object is created which is also where our config is setup inside the Partner function, this object is then passed to Intx which just sets the internal Fixups variable to the new object: This gets later used and what is passed in is the C2 host and port that is also decoded from the strings: https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 3 of 11 There is also a lot of strings related to AV, EDR and analyst tools which appear to mostly come from OSINT code[1]. These strings are loaded into a string array named Hierarchy: Later these names are retrieved in another piece of code. The manual function called just returns the previous array. Next, a few directory locations are loaded: https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 4 of 11 The loaded directories are: C:\Program Files (x86) C:\Program Files C:\ProgramData The loader will then look for any sub folder containing the strings: Press enter or click to view image in full size Decoded strings allude to encoded payload extraction. The extraction routine reads in the first 16 bytes to acquire a key that will be utilized in the decoding routine. Unfortunately, we were unable to retrieve a payload at the time of our writing. using (MemoryStream memoryStream = new MemoryStream(older, 0, older.Length)) { byte[] array = new byte[16]; int num = memoryStream.Read(array, 0, 16); bool flag = num < 16; if (flag) { https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 5 of 11 throw new Exception(string.Concat(new string[] { "Unable to extract key from encoded payload." })); } Decoded strings Opening new shell... cmd.exe /k [ ] - Info Error [ ] - Error [ ] - {0}:{1} Client {0} connecting to {1}... Unable to perform handshake. Client {0} connected to {1}... Unable to connect listener: {0} received. Sending {0} callback... Disconnecting {0}... Disconnected {0}... Unable to extract key from encoded payload. SOFTWARE\Microsoft\Windows\CurrentVersion\Run NewBot.Loader NewBot.Loader Unable to read x32 headers. .text .data .pdata .reloc .rsrc .rdata Allocating memory... NtAllocateVirtualMemory Memory allocation failed. Allocation ended with result {0} in {1:X} Creating thread... NtCreateThreadEx https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 6 of 11 Creating thread failed. Creating thread finished with result {0} - {1}. Starting thread... NtWaitForSingleObject Unable to start thread Thread finished with status {0}. Writing virtual memory... NtWriteVirtualMemory Unable to write virtual memory Writing virtual memory finished with status {0}. ntdll.dll Unable to determine syscall for method: Strategy cannot be null. Executing {0}... Command executed. 45.15.157[.]139:1337 SELECT * FROM Win32_OperatingSystem Caption Version Error: Unknown Unknown SELECT * FROM Win32_ComputerSystem TotalPhysicalMemory Error: HARDWARE\DESCRIPTION\System\CentralProcessor\0 PROCESSOR_IDENTIFIER ProcessorNameString System System Up Time C:\Program Files (x86) C:\Program Files C:\ProgramData No domain controller information found. SELECT * FROM Win32_ComputerSystem Domain Error: Unknown activeconsole ADA-PreCheck ahnlab anti malware anti-malware antimalware anti virus anti-virus antivirus https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 7 of 11 appsense attivo networks attivonetworks authtap avast avecto bitdefender blackberry canary carbonblack carbon black check point ciscoamp cisco amp countercept countertack cramtray crssvc crowdstrike csagent csfalcon csshell cybereason cyclorama cylance cynet cyoptics cyupdate cyvera cyserver cytray darktrace deep instinct defendpoint defender eectrl elastic endgame f-secure forcepoint fortinet fireeye groundling GRRservic harfanglab inspector ivanti https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 8 of 11 juniper networks kaspersky lacuna logrhythm malware malwarebytes mandiant mcafee morphisec msascuil msmpeng nissrv omni omniagent osquery Palo Alto Networks pgeposervice pgsystemtray privilegeguard procwall protectorservic qianxin qradar qualys rapid7 redcloak red canary SanerNow sangfor secureworks securityhealthservice semlaunchsv sentinel sentinelone sepliveupdat sisidsservice sisipsservice sisipsutil smcgui snac64 somma sophos splunk srtsp symantec symcorpu symefasi https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 9 of 11 sysinternal sysmon tanium tdawork tehtris threat trellix tpython trend micro uptycs vectra watchguard wincollect windowssensor wireshark withsecure N/A Unable to inject empty payload. Unable to inject x86 payload. (Not supported) - Unable to inject payload to non local process. Portable Exe injection to started... Portable Exe injection completed. Creating section: ... Section created. Starting relocation Relocating {0} to {1} with length: {2}... Resolving imports... Loading DLL Loading injection process... Injecting payload to ... Copying shellcode to memory... Payload injection finished with wait status {0}. Unable to find handler for command: {0} N/A N/A N/A N/A N/A Unable to get args from command: {0} Unable to decode shell action. Unable to get model for {0} Unable to get model for {0} Unable to get model for {0} https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 10 of 11 payloadType Loader started... 501a2d61bb9cdcdcbc1a77c1cf985c4d3781d60cb94380fbecac73cdbd2120baCode reuse FastBinaryJSON Get Jason Reaves’s stories in your inbox Join Medium for free to get updates from this writer. Remember me for faster sign in SharpEDRChecker IOCs 501a2d61bb9cdcdcbc1a77c1cf985c4d3781d60cb94380fbecac73cdbd2120ba 92f3fdcbeb7175d86daaab7ac7e07db4558c0933e91552f9a50420e841a47bb3 45.15.157.]139:1337 Registry: \Software\Microsoft\Windows\CurrentVersion\Run\NewBot.Loader WMI queries: SELECT * FROM Win32_OperatingSystem SELECT * FROM Win32_ComputerSystem References 1:https://github.com/PwnDexter/SharpEDRChecker Source: https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 https://medium.com/walmartglobaltech/newbot-loader-81e2ba11c793 Page 11 of 11