General

  • Target

    SecuriteInfo.com.Trojan.MulDrop12.44210.25533.6581

  • Size

    89KB

  • Sample

    201109-xljy37e6ls

  • MD5

    d617629cc616053d970ce78ec2df19ec

  • SHA1

    778298b7d67c4b10d6ee0025142cbd2656f80452

  • SHA256

    c70f085a5bb6b5589088374114bbd7a7e097ad8dce5343aec499cd7bc070f061

  • SHA512

    3e15af84c04e70631c5efab857e58b8fb46c968b355bbd91915c2b8098fda6a9c8a32b98591c7d87cec8cc2571e3f40983c893ce7d7970258f101b5e683534e4

Malware Config

Targets

    • Target

      SecuriteInfo.com.Trojan.MulDrop12.44210.25533.6581

    • Size

      89KB

    • MD5

      d617629cc616053d970ce78ec2df19ec

    • SHA1

      778298b7d67c4b10d6ee0025142cbd2656f80452

    • SHA256

      c70f085a5bb6b5589088374114bbd7a7e097ad8dce5343aec499cd7bc070f061

    • SHA512

      3e15af84c04e70631c5efab857e58b8fb46c968b355bbd91915c2b8098fda6a9c8a32b98591c7d87cec8cc2571e3f40983c893ce7d7970258f101b5e683534e4

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Modifies Windows Defender Real-time Protection settings

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Windows security modification

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Tasks