Overview

overview

10

Static

static

006b91eb_I...CD.exe

windows7_x64

10

006b91eb_I...CD.exe

windows10_x64

10

Resubmissions

30-08-2021 15:07

210830-pwc1zfadk2 10

29-08-2021 05:12

210829-rapxwhlw4j 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    006b91eb_IHyB_31ECD

  • Size

    1010KB

  • Sample

    210829-rapxwhlw4j

  • MD5

    006b91eb6fe52d68af0c7e6b6ee0cdf5

  • SHA1

    a797f0062757264d9ed96fb16dbbe1f997891cb4

  • SHA256

    2181fc561eed3985e3f6922bfc50bb1a761377874ab0e86344bdc74505ed8f5c

  • SHA512

    3318ae6b954591db13537c8c04630a9914cdd51bfd4ef7c372f7bfb2cd33f572d06041ed99b97ed44796a3654891e444598ab15a102d86efa7ae9a80afccc634

Score
10/10
modiloaderbootkitevasionpersistencespywarestealersuricatatrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://kmsauto.us/ra/ALL.txt

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://kmsauto.us/ALL.txt

Targets

    • Target

      006b91eb_IHyB_31ECD

    • Size

      1010KB

    • MD5

      006b91eb6fe52d68af0c7e6b6ee0cdf5

    • SHA1

      a797f0062757264d9ed96fb16dbbe1f997891cb4

    • SHA256

      2181fc561eed3985e3f6922bfc50bb1a761377874ab0e86344bdc74505ed8f5c

    • SHA512

      3318ae6b954591db13537c8c04630a9914cdd51bfd4ef7c372f7bfb2cd33f572d06041ed99b97ed44796a3654891e444598ab15a102d86efa7ae9a80afccc634

    Score
    10/10
    modiloaderbootkitpersistencespywarestealersuricatatrojanupxevasion

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • suricata: ET MALWARE PE EXE or DLL Windows file download Text

      suricata: ET MALWARE PE EXE or DLL Windows file download Text

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)

      suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)

      suricata

    • suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)

      suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)

      suricata

    • ModiLoader First Stage

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks