General
-
Target
cff2e13aa3295ff525e00548d9e70d3c.exe
-
Size
401KB
-
Sample
221004-xxdybabhf7
-
MD5
cff2e13aa3295ff525e00548d9e70d3c
-
SHA1
83ce362bd0f36576caf78c984a32d9c88693bf86
-
SHA256
f3f1e859565fca8ff434438e2c331aae55791b6b6b74803652c364cbe99cb9b1
-
SHA512
7b56dad27805ddaca05252c0181e2b5a87cb1672cb2763fd3f9bc56cca497a0186286cd0e8ca9ef1db036bb3ff522f239fc95f2e1e8402e4d6ede12ad590db38
-
SSDEEP
6144:gEyD56nU0Q6q9DvKbDwbpbJR1XcTrepr8FsrMDyHCACb0/B5rFvn:g5EU0Q9NibDOlJR1rr8FCeXbaR
Static task
static1
Behavioral task
behavioral1
Sample
cff2e13aa3295ff525e00548d9e70d3c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cff2e13aa3295ff525e00548d9e70d3c.exe
Resource
win10v2004-20220901-en
Malware Config
Targets
-
-
Target
cff2e13aa3295ff525e00548d9e70d3c.exe
-
Size
401KB
-
MD5
cff2e13aa3295ff525e00548d9e70d3c
-
SHA1
83ce362bd0f36576caf78c984a32d9c88693bf86
-
SHA256
f3f1e859565fca8ff434438e2c331aae55791b6b6b74803652c364cbe99cb9b1
-
SHA512
7b56dad27805ddaca05252c0181e2b5a87cb1672cb2763fd3f9bc56cca497a0186286cd0e8ca9ef1db036bb3ff522f239fc95f2e1e8402e4d6ede12ad590db38
-
SSDEEP
6144:gEyD56nU0Q6q9DvKbDwbpbJR1XcTrepr8FsrMDyHCACb0/B5rFvn:g5EU0Q9NibDOlJR1rr8FCeXbaR
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VirtualBox drivers on disk
-
ModiLoader Second Stage
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-