Overview

overview

10

Static

static

hypoc.exe

windows7_x64

10

hypoc.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hypoc.exe

  • Size

    104KB

  • Sample

    210928-xj16paceh8

  • MD5

    916c42dbafbbaa9d7f5208494710c354

  • SHA1

    952c4314cadc08ca01a1227e999f645c12760aeb

  • SHA256

    5eab33aa65a63135b926cad2766fd657c092c2704cc5155462d119053285cda8

  • SHA512

    0d95757ba0bacc5bd43a58048afb66c74b07d5252ce99e78efa0f1fbe7da4baa3e5e3adf1d53422ba9225a3ea1a2a40a1083fed69b6220132d28bf8f840fef61

Score
10/10
guloadermodiloaderdownloaderpersistencetrojan

Malware Config

Targets

    • Target

      hypoc.exe

    • Size

      104KB

    • MD5

      916c42dbafbbaa9d7f5208494710c354

    • SHA1

      952c4314cadc08ca01a1227e999f645c12760aeb

    • SHA256

      5eab33aa65a63135b926cad2766fd657c092c2704cc5155462d119053285cda8

    • SHA512

      0d95757ba0bacc5bd43a58048afb66c74b07d5252ce99e78efa0f1fbe7da4baa3e5e3adf1d53422ba9225a3ea1a2a40a1083fed69b6220132d28bf8f840fef61

    Score
    10/10
    guloadermodiloaderdownloaderpersistencetrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks