General
-
Target
b6bebaceeb7572332bd2f049dbbf8564f05673cd44744cd4f1d95d04bb0a1b65
-
Size
606KB
-
Sample
221129-hxgxmsag6z
-
MD5
a1b3c431e9414ed9d7a87fe78d1ed255
-
SHA1
ef8bb35252ed1783ad9cab7b1e64d3376dda58f8
-
SHA256
b6bebaceeb7572332bd2f049dbbf8564f05673cd44744cd4f1d95d04bb0a1b65
-
SHA512
a451e28fcc1d44db260f554997af2a2431b2c26968e1abbb490b5deb7173068f3842432a97ab9f97378ce361741869f3c290cd97ed3ecd27845a80f12ac60ef0
-
SSDEEP
12288:adtjPWedI4ilnP/TP7xQLtV8TuJ+fUoy6SoMvPJ6Q/FO0cn2b:adRZ4nTVQLtVsuEfUoy6MHJ6SFOW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Targets
-
-
Target
b6bebaceeb7572332bd2f049dbbf8564f05673cd44744cd4f1d95d04bb0a1b65
-
Size
606KB
-
MD5
a1b3c431e9414ed9d7a87fe78d1ed255
-
SHA1
ef8bb35252ed1783ad9cab7b1e64d3376dda58f8
-
SHA256
b6bebaceeb7572332bd2f049dbbf8564f05673cd44744cd4f1d95d04bb0a1b65
-
SHA512
a451e28fcc1d44db260f554997af2a2431b2c26968e1abbb490b5deb7173068f3842432a97ab9f97378ce361741869f3c290cd97ed3ecd27845a80f12ac60ef0
-
SSDEEP
12288:adtjPWedI4ilnP/TP7xQLtV8TuJ+fUoy6SoMvPJ6Q/FO0cn2b:adRZ4nTVQLtVsuEfUoy6MHJ6SFOW
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
ModiLoader Second Stage
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Windows security modification
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-