Overview

overview

10

Static

static

8

contract_7380.xlam

windows7_x64

10

contract_7380.xlam

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    contract_7380.xlam

  • Size

    17KB

  • Sample

    210824-6t37l29ar6

  • MD5

    cf1156c12c6eb049bbb190be60d813fb

  • SHA1

    6d26cb5031494569c83b7ae713afed0c646aa29f

  • SHA256

    e3b78828f69be496566ad8b7563f2725e1a18347602b8d9dd1896e30b5399290

  • SHA512

    c51469bb6d564082f2aebb1dc765a1101070ce144205079ba0e404980930172c25cd2ef3baba22cc8ebfcd8fcc24ecf2a09ea1e6c7d428abf1f1b7f68f6825dc

Score
10/10
guloadermodiloaderdownloadermacropersistencesuricatatrojan

Malware Config

Targets

    • Target

      contract_7380.xlam

    • Size

      17KB

    • MD5

      cf1156c12c6eb049bbb190be60d813fb

    • SHA1

      6d26cb5031494569c83b7ae713afed0c646aa29f

    • SHA256

      e3b78828f69be496566ad8b7563f2725e1a18347602b8d9dd1896e30b5399290

    • SHA512

      c51469bb6d564082f2aebb1dc765a1101070ce144205079ba0e404980930172c25cd2ef3baba22cc8ebfcd8fcc24ecf2a09ea1e6c7d428abf1f1b7f68f6825dc

    Score
    10/10
    suricataguloadermodiloaderdownloaderpersistencetrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks