General
-
Target
95c1e37df6075f3caaaa1d172125a830b6733726670f5f8155f62c26bc472d9e
-
Size
844KB
-
Sample
221203-1n5lfsgf35
-
MD5
ef07264221f95108f16ba392cd80d320
-
SHA1
938264373a44b03a962b0f6362a31493614ad9e0
-
SHA256
95c1e37df6075f3caaaa1d172125a830b6733726670f5f8155f62c26bc472d9e
-
SHA512
4278cc335c63d48bada802a6f1798c62cf3262d56aa740a1effd087dd31ad4a3ff8acbbc1090fd8f27a93a190e6694765a6a22d26256b8195af32af947bde15d
-
SSDEEP
12288:dBPDXS5Dkk6op32l9j2wx+xejWEZ2QySvuWQtW9b0rRZCwYll9j2wx+xs8V:u5Dkk6wM2wx+xxc2QPCOh2wx+xs8V
Static task
static1
Behavioral task
behavioral1
Sample
95c1e37df6075f3caaaa1d172125a830b6733726670f5f8155f62c26bc472d9e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
95c1e37df6075f3caaaa1d172125a830b6733726670f5f8155f62c26bc472d9e.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.freewebtown.com - Port:
21 - Username:
on7line - Password:
deneme123
Targets
-
-
Target
95c1e37df6075f3caaaa1d172125a830b6733726670f5f8155f62c26bc472d9e
-
Size
844KB
-
MD5
ef07264221f95108f16ba392cd80d320
-
SHA1
938264373a44b03a962b0f6362a31493614ad9e0
-
SHA256
95c1e37df6075f3caaaa1d172125a830b6733726670f5f8155f62c26bc472d9e
-
SHA512
4278cc335c63d48bada802a6f1798c62cf3262d56aa740a1effd087dd31ad4a3ff8acbbc1090fd8f27a93a190e6694765a6a22d26256b8195af32af947bde15d
-
SSDEEP
12288:dBPDXS5Dkk6op32l9j2wx+xejWEZ2QySvuWQtW9b0rRZCwYll9j2wx+xs8V:u5Dkk6wM2wx+xxc2QPCOh2wx+xs8V
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-