General
-
Target
usa1.exe
-
Size
3.2MB
-
Sample
220626-gv2zcsbed3
-
MD5
ab8e9ac36f014b3e59d38f5a41dd5abe
-
SHA1
b040fed81d9d11384d8f972e51fb946128ddc398
-
SHA256
6d0a5048b64ef4877f1ea3480f95b899344dd020c05130055260048b91201dc0
-
SHA512
7004299e4eda607bac1ca3b89a38ff9e23065e0601269f03b699788bd39f858ac24aef0bd84690aafb24b76a52ee945635e56c06742f4f08b7f109c001c6f269
Malware Config
Targets
-
-
Target
usa1.exe
-
Size
3.2MB
-
MD5
ab8e9ac36f014b3e59d38f5a41dd5abe
-
SHA1
b040fed81d9d11384d8f972e51fb946128ddc398
-
SHA256
6d0a5048b64ef4877f1ea3480f95b899344dd020c05130055260048b91201dc0
-
SHA512
7004299e4eda607bac1ca3b89a38ff9e23065e0601269f03b699788bd39f858ac24aef0bd84690aafb24b76a52ee945635e56c06742f4f08b7f109c001c6f269
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies Windows Defender Real-time Protection settings
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
ModiLoader Second Stage
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-