Overview

overview

10

Static

static

ad0e9ff418...fc.exe

windows7-x64

10

ad0e9ff418...fc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc

  • Size

    352KB

  • Sample

    221128-gvhkqafd7s

  • MD5

    7a60ce64e7fd84d41e2852c0b26f8694

  • SHA1

    b7099c4e097d060f296748bc14ef93d9b4243fa0

  • SHA256

    ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc

  • SHA512

    df9561e92aedcf1812118cb3a50ab3b039315189ca39a059a1d3593b18dbba2626b9da3b10ac99ad6d6f547d9062fa66218799fb770a3d9c8dab8a88478e913d

  • SSDEEP

    3072:CPkV3CEwdOR51PCjVmDIjnUCL/PR76xUUA51RRpaZntcVjy/DU6W4ij0UiJd9QTw:CN1oZn+VGrU68xe9QTl+t1gZn9vMikbf

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Targets

    • Target

      ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc

    • Size

      352KB

    • MD5

      7a60ce64e7fd84d41e2852c0b26f8694

    • SHA1

      b7099c4e097d060f296748bc14ef93d9b4243fa0

    • SHA256

      ad0e9ff41830f65888f808b388cbf0179ba6f87f2711b432f795803165712bfc

    • SHA512

      df9561e92aedcf1812118cb3a50ab3b039315189ca39a059a1d3593b18dbba2626b9da3b10ac99ad6d6f547d9062fa66218799fb770a3d9c8dab8a88478e913d

    • SSDEEP

      3072:CPkV3CEwdOR51PCjVmDIjnUCL/PR76xUUA51RRpaZntcVjy/DU6W4ij0UiJd9QTw:CN1oZn+VGrU68xe9QTl+t1gZn9vMikbf

    Score
    10/10
    modiloaderevasionpersistencetrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VirtualBox drivers on disk

      evasion

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks