General

  • Target

    dde332a0dae3cd8df906c8a51336a47c

  • Size

    667KB

  • Sample

    240325-ngaraahb4t

  • MD5

    dde332a0dae3cd8df906c8a51336a47c

  • SHA1

    850f4bc1743bb6d99ae25077e9b1c823bf1180d4

  • SHA256

    5355c17e6d3e0b193ca78cd1789ecca3a0c23f0a466051fca6499c28f5802537

  • SHA512

    e09b0c3c2fa43c1a08dbcff8f81b3e669a010b12effccc1138743197f66412b07a82a485370060b1005ec107c23615da38f4ac14e2b1a361f927710eda4f34c1

  • SSDEEP

    12288:WbMqm1EEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WI3EEb4Ev/ATEXKGVnGTzpA1Ec1A

Malware Config

Targets

    • Target

      dde332a0dae3cd8df906c8a51336a47c

    • Size

      667KB

    • MD5

      dde332a0dae3cd8df906c8a51336a47c

    • SHA1

      850f4bc1743bb6d99ae25077e9b1c823bf1180d4

    • SHA256

      5355c17e6d3e0b193ca78cd1789ecca3a0c23f0a466051fca6499c28f5802537

    • SHA512

      e09b0c3c2fa43c1a08dbcff8f81b3e669a010b12effccc1138743197f66412b07a82a485370060b1005ec107c23615da38f4ac14e2b1a361f927710eda4f34c1

    • SSDEEP

      12288:WbMqm1EEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WI3EEb4Ev/ATEXKGVnGTzpA1Ec1A

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modifies security service

    • Modifies visiblity of hidden/system files in Explorer

    • ModiLoader Second Stage

    • Disables taskbar notifications via registry modification

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks