General
-
Target
006b91eb_IHyB_31ECD
-
Size
1010KB
-
Sample
210829-rapxwhlw4j
-
MD5
006b91eb6fe52d68af0c7e6b6ee0cdf5
-
SHA1
a797f0062757264d9ed96fb16dbbe1f997891cb4
-
SHA256
2181fc561eed3985e3f6922bfc50bb1a761377874ab0e86344bdc74505ed8f5c
-
SHA512
3318ae6b954591db13537c8c04630a9914cdd51bfd4ef7c372f7bfb2cd33f572d06041ed99b97ed44796a3654891e444598ab15a102d86efa7ae9a80afccc634
Static task
static1
Behavioral task
behavioral1
Sample
006b91eb_IHyB_31ECD.exe
Resource
win7v20210408
Malware Config
Extracted
https://kmsauto.us/ra/ALL.txt
Extracted
https://kmsauto.us/ALL.txt
Targets
-
-
Target
006b91eb_IHyB_31ECD
-
Size
1010KB
-
MD5
006b91eb6fe52d68af0c7e6b6ee0cdf5
-
SHA1
a797f0062757264d9ed96fb16dbbe1f997891cb4
-
SHA256
2181fc561eed3985e3f6922bfc50bb1a761377874ab0e86344bdc74505ed8f5c
-
SHA512
3318ae6b954591db13537c8c04630a9914cdd51bfd4ef7c372f7bfb2cd33f572d06041ed99b97ed44796a3654891e444598ab15a102d86efa7ae9a80afccc634
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE PE EXE or DLL Windows file download Text
suricata: ET MALWARE PE EXE or DLL Windows file download Text
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)
-
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
-
ModiLoader First Stage
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-