General

  • Target

    5ab7786518f2e12e631df4b89431384e1268c2bc357cfb1f932ac95a92a50f83

  • Size

    256KB

  • Sample

    220802-c17pksgehn

  • MD5

    6f2daa391bd82e2d92d46a4dc40e8a31

  • SHA1

    6186cb72b280818a568a8351c0d2e990a5673b54

  • SHA256

    5ab7786518f2e12e631df4b89431384e1268c2bc357cfb1f932ac95a92a50f83

  • SHA512

    308ced18268648d349dd82d6a8b6614649bb54f2f7ad743ffdc46279810659a118609df2db7383b0736ec11b5edfc5dd193deae72654921db1d8a27b8a7b7758

Score
10/10

Malware Config

Targets

    • Target

      5ab7786518f2e12e631df4b89431384e1268c2bc357cfb1f932ac95a92a50f83

    • Size

      256KB

    • MD5

      6f2daa391bd82e2d92d46a4dc40e8a31

    • SHA1

      6186cb72b280818a568a8351c0d2e990a5673b54

    • SHA256

      5ab7786518f2e12e631df4b89431384e1268c2bc357cfb1f932ac95a92a50f83

    • SHA512

      308ced18268648d349dd82d6a8b6614649bb54f2f7ad743ffdc46279810659a118609df2db7383b0736ec11b5edfc5dd193deae72654921db1d8a27b8a7b7758

    Score
    10/10
    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks