General

  • Target

    pdf.com

  • Size

    132KB

  • Sample

    210909-rnzkrsgce6

  • MD5

    291110d28eb31d044e1ef45306aaebc5

  • SHA1

    5dfb0ca60fc82d423da211d2397d4a39a4ed7587

  • SHA256

    ca38bc5a74167b7931db40cb00e670773b696df8c2df0d17761b38a99d40941a

  • SHA512

    505f930ddc4d370929ef5230ee14ec75acd3106d71b3f088fb39ab9fdbf98e6373ccf7ed4c97f87c58e1fdee33a17a663f3c894e814e0b83681b5494715854e8

Malware Config

Targets

    • Target

      pdf.com

    • Size

      132KB

    • MD5

      291110d28eb31d044e1ef45306aaebc5

    • SHA1

      5dfb0ca60fc82d423da211d2397d4a39a4ed7587

    • SHA256

      ca38bc5a74167b7931db40cb00e670773b696df8c2df0d17761b38a99d40941a

    • SHA512

      505f930ddc4d370929ef5230ee14ec75acd3106d71b3f088fb39ab9fdbf98e6373ccf7ed4c97f87c58e1fdee33a17a663f3c894e814e0b83681b5494715854e8

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks