Part 4/8:

The malicious payload was fetched from a suspicious URL associated with the loader, indicating active command and control (C2) infrastructure controlled by the attacker. Upon execution, the second-stage binary was downloaded and run, elevating the malware’s capabilities and persistence.

The Malware’s Actions: spying and mining

While analyzing the second-stage payload, the author noticed that it was heavily obfuscated. Unable to unpack it immediately, he decided that running the binary within a sandbox environment was the safest move.

Once executed in a controlled environment, the malware executed several actions:

• Communication with the C2 server: It contacted an IP address sending a bot ID, which suggests that it might be part of a broader botnet network.