Overview

overview

10

Static

static

1

gly.hta

windows7-x64

3

gly.hta

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    gly.hta

  • Size

    55KB

  • Sample

    230803-mrnkfseb2z

  • MD5

    9e4c0d579c9acf12a52bc5c58d410708

  • SHA1

    7f69a49202daaf659672381fa0dc505abd871262

  • SHA256

    073b4eac3f9595ffd9c3a479d4857996799224e3f6f21fa4b3f86d94b3cd437e

  • SHA512

    4d734d423b426fee27a8f885f24103003d2ca140140162e19836f25a937aa8c757f5d9cc6136fecd0219b8c8c9ae786a69945eb2c989487faafd6c12e117153e

  • SSDEEP

    768:cn0W4TOwp1g0+vMZi69Fhr3++x4SpThCBdlA:cn8zpx+vKi69b3+ifSdlA

Score
10/10
modiloaderpersistencetrojan

Malware Config

Targets

    • Target

      gly.hta

    • Size

      55KB

    • MD5

      9e4c0d579c9acf12a52bc5c58d410708

    • SHA1

      7f69a49202daaf659672381fa0dc505abd871262

    • SHA256

      073b4eac3f9595ffd9c3a479d4857996799224e3f6f21fa4b3f86d94b3cd437e

    • SHA512

      4d734d423b426fee27a8f885f24103003d2ca140140162e19836f25a937aa8c757f5d9cc6136fecd0219b8c8c9ae786a69945eb2c989487faafd6c12e117153e

    • SSDEEP

      768:cn0W4TOwp1g0+vMZi69Fhr3++x4SpThCBdlA:cn8zpx+vKi69b3+ifSdlA

    Score
    10/10
    modiloaderpersistencetrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Suspicious use of NtCreateProcessOtherParentProcess

    • ModiLoader Second Stage

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks