General
-
Target
bong[1].bmp.dec
-
Size
3.2MB
-
Sample
220805-q4e1madea5
-
MD5
9010a4cc7bc0f476f0830b079fcd3ce5
-
SHA1
ba15172ec38b40db7dbd3d956577604c7af57704
-
SHA256
8917451b1bacead632768c07e4bab386646a95771f08ce8372289a80d463fe12
-
SHA512
a98f8273ee883f5d5a353dc284fb247a8c3f7e21eede28737a03b34cf08ebb5a9d94df1287a3f0790531ec1b4cf740f9e6039e8368f8c3cadb6e9eeea22d54f2
Behavioral task
behavioral1
Sample
bong[1].bmp.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
bong[1].bmp.exe
Resource
win10v2004-20220721-en
Malware Config
Targets
-
-
Target
bong[1].bmp.dec
-
Size
3.2MB
-
MD5
9010a4cc7bc0f476f0830b079fcd3ce5
-
SHA1
ba15172ec38b40db7dbd3d956577604c7af57704
-
SHA256
8917451b1bacead632768c07e4bab386646a95771f08ce8372289a80d463fe12
-
SHA512
a98f8273ee883f5d5a353dc284fb247a8c3f7e21eede28737a03b34cf08ebb5a9d94df1287a3f0790531ec1b4cf740f9e6039e8368f8c3cadb6e9eeea22d54f2
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
ModiLoader Second Stage
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-