Threat Research

Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled

Unit42

BunnyLoader 3.0 is a retooled, modular loader that uses obfuscated C2 communications (RC4 over HTTP) and downloadable modules (stealer, keylogger, clipper, DoS) to steal credentials, crypto, and execute additional payloads. The malware is distributed via droppers (CMD/.zip), packers like PureCrypter/UPX/Themida, and communicates with C2 endpoints such as ads.hostloads.xyz and 91.92.247[.]212. #BunnyLoader #PureCrypter

Keypoints

  • BunnyLoader evolved rapidly since Sept 2023 and released version 3.0 with a modular architecture and reduced payload size.
  • Infection chains include CMD droppers, ZIP lures (e.g., Shovel Knight.zip), PureCrypter packing, and a .NET injector that loads BunnyLoader as notepet.exe/notep.exe.
  • 3.0 uses HTTP-based C2 with a configurable path (e.g., /gate.php) and obfuscates HTTP parameter values with per-execution RC4 keys.
  • The binary is modular: core client checks C2 frequently and downloads modules (stealer, keylogger, clipper, DoS) saved to %localappdata%/Temp or injected in-memory into notepad.exe/calc.exe.
  • Stealer collects browsers, wallets, files and keylogger logs, compresses them via PowerShell, reports metadata to C2, then uploads the ZIP to a C2 Logs path.
  • Clipper replaces clipboard crypto addresses using regex patterns for multiple wallet types; DoS module performs HTTP GET/POST floods when commanded.
  • Observed defenses evasion includes packers (UPX, Themida), PureCrypter delivery, and changing filenames/paths to mimic legitimate apps.

MITRE Techniques

  • [T1056.001] Input Capture: Keylogging – Brief: 3.0 includes a keylogger that records keystrokes and writes logs to %localappdata%Temp. Quote: (‘The BunnyLoader 3.0 keylogger records all keystrokes, saving them to log files in the %localappdata%Temp folder.’)
  • [T1555.003] Credentials from Web Browsers – Brief: Stealer module harvests browser credentials and extensions, then prepares data for exfiltration. Quote: (‘The BunnyLoader 3.0 stealer module operates autonomously, stealing credentials and exfiltrating data directly to the C2 server.’)
  • [T1115] Clipboard Data – Brief: Clipper module monitors and replaces clipboard contents with attacker-controlled crypto addresses. Quote: (‘The clipper uses regex patterns to identify whether the target’s clipboard contains a desired wallet address type.’)
  • [T1055] Process Injection – Brief: Modules are injected into legitimate processes (e.g., notepad.exe, calc.exe) for in-memory execution. Quote: (‘injects it into notepad.exe, entirely in memory.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Brief: C2 uses HTTP(S) endpoints (gate.php) and specific user-agents for different functions. Quote: (‘communicate with the C2 server located at hxxp://ads[.]hostloads[.]xyz/BAGUvIxJu32I0/gate.php’)
  • [T1041] Exfiltration Over C2 Channel – Brief: Stealer compresses logs and uploads .zip files to C2 using HTTP with a custom user-agent. Quote: (‘the stealer will use PowerShell to compress the ADE_LOGS folder into a .zip file’ and ‘the stealer will upload the .zip file, using the user agent Uploader’).
  • [T1105] Ingress Tool Transfer – Brief: C2 issues commands to download executables, DLLs, scripts and modules to %localappdata%/Temp. Quote: (‘Downloads .exe specified by Task_Arg to the %localappdata%/Temp folder and executes it’).
  • [T1027] Obfuscated Files or Information (Software Packing) – Brief: Operators use packers and crypters (UPX, Themida, PureCrypter) to evade analysis. Quote: (‘Samples collected during this time included packed binaries using PureCrypter, UPX and Themida’).
  • [T1059.001] PowerShell – Brief: Stealer uses PowerShell to compress collected logs before exfiltration. Quote: (‘the stealer will use PowerShell to compress the ADE_LOGS folder into a .zip file.’)
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Brief: 3.0 is delivered in at least one case via a malicious .cmd dropper. Quote: (‘the first known sample of BunnyLoader 3.0 contained in a malicious .cmd script’).
  • [T1498] Network Denial of Service – Brief: DoS module performs HTTP GET/POST flood attacks against specified targets when instructed by C2. Quote: (‘The C2 can instruct the module to perform either a GET or POST HTTP flood attack against a specified URL.’)

Indicators of Compromise

  • [IP Address] C2 endpoints – 37.139.129[.]145 (initial C2 observed Sept 2023), 91.92.247[.]212 (BunnyLoader 3.0 C2), and other C2 IPs observed in campaigns.
  • [File Hash] notable samples – c80a63350ec791a16d84b759da72e043891b739a04c7c1709af83da00f7fdc3a (BunnyLoader 3.0 EXE), 1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8 (.cmd dropper), and 15+ additional hashes listed in the report.
  • [Domain/URL] C2 & module paths – hxxp://ads.hostloads[.]xyz/BAGUvIxJu32I0/gate.php (example C2 gate), http://[C2]/[path]/Modules/eSentire.exe (module download pattern).
  • [Filenames] lures & payload names – Shovel Knight.zip (ZIP lure/stager), notepet.exe / notep.exe (masqueraded BunnyLoader payload), and module filenames eSentire.exe, zScaler.exe, NextronSystems.exe.

When rewriting the technical procedure, focus on infection chains, C2 protocol, module handling, and exfiltration mechanics.

BunnyLoader’s delivery chains observed include simple CMD droppers and ZIP lures (e.g., Shovel Knight.zip) as well as multi-stage chains where a Delphi dropper or PureCrypter loader leads to a .NET injector that loads BunnyLoader disguised as notepet.exe/notep.exe. Operators also used packers (UPX, Themida) and PureCrypter to hinder analysis. The BunnyLoader 3.0 sample Unit 42 examined is embedded in a .cmd dropper and, once executed, configures hard-coded C2 values (address, path, operator ID) and generates a random 32-character RC4 key used to RC4-encrypt HTTP query parameter values before URL-encoding them.

Runtime behavior is modular: the lightweight base client checks in frequently (heartbeat and 2-second task polling intervals) using distinct user-agents per function and a single gate endpoint (gate.php). Commands follow a structured text format (ID –> [value]; Task_Name –> [value]; Task_Args –> [value]; DLL –> [value]) and instruct the client to download modules or artifacts to %localappdata%/Temp or perform in-memory injection (notepad.exe, calc.exe). Downloaded modules use either ESET NOD32 (saved to disk) or curl/1.0 (fileless injection) user-agents; module URLs conform to http://[C2]/[path]/Modules/.exe (e.g., eSentire.exe for the stealer, NextronSystems.exe for the keylogger).

Key modules and mechanics: the keylogger captures foreground window titles via GetForegroundWindow/GetWindowTextA and writes targeted logs (e.g., ADE_PAYPAL.txt, ADE_BOA.txt) and a general ADE_KEY.txt; the stealer enumerates browsers, crypto wallets and file targets, compresses ADE_LOGS via PowerShell into a .zip, reports metadata to C2 (GET with Windows Defender user-agent and RC4-encoded parameters), then uploads the ZIP (Uploader user-agent) and removes artifacts; the clipper monitors the clipboard, matches wallet regexes and replaces addresses; the DoS module spawns threads to execute HTTP GET/POST floods when commanded. Detection and response should focus on anomalies: persistent HTTP callbacks to gate.php paths, RC4-encoded URL parameters, frequent two-second polling, module download patterns under /Modules/, and the specific file hashes and C2 IPs listed above.

Read more: https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint