Overview

overview

10

Static

static

5

fed74fd902...b7.exe

windows7-x64

10

fed74fd902...b7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7

  • Size

    2.6MB

  • Sample

    221128-mfbrhsbf5t

  • MD5

    e72aaafff683d056502cc68ab1333deb

  • SHA1

    934deb70f68a11e75985933a8a449fb4a8269dc4

  • SHA256

    fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7

  • SHA512

    101d7c33bad59ce83b5d372e013fc838f1b6c33e96d94b22bcf499ef6a3a6277f2ec86d864d5d6ac7edfa1e6dee83a0e7dfc4a277b7e63546c7899585d5a29f2

  • SSDEEP

    49152:SJZoQrbTFZY1iazcBXcmdxoNmiHFNWt7jAui5Uj2MNo:StrbTA1Eo

Score
10/10
imminentmodiloaderpersistencespywaretrojan

Malware Config

Targets

    • Target

      fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7

    • Size

      2.6MB

    • MD5

      e72aaafff683d056502cc68ab1333deb

    • SHA1

      934deb70f68a11e75985933a8a449fb4a8269dc4

    • SHA256

      fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7

    • SHA512

      101d7c33bad59ce83b5d372e013fc838f1b6c33e96d94b22bcf499ef6a3a6277f2ec86d864d5d6ac7edfa1e6dee83a0e7dfc4a277b7e63546c7899585d5a29f2

    • SSDEEP

      49152:SJZoQrbTFZY1iazcBXcmdxoNmiHFNWt7jAui5Uj2MNo:StrbTA1Eo

    Score
    10/10
    persistenceimminentmodiloaderspywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks