Overview

overview

10

Static

static

3

Lunar.exe

windows10-2004-x64

7

troll.pyc

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lunar.exe

  • Size

    7.9MB

  • Sample

    240504-yfm1bsbh94

  • MD5

    17245a2f10932f0f89ec975b9b5f9c3b

  • SHA1

    929e3262812dd262b4f3faae2c380681a4f15cae

  • SHA256

    2d952fedf846b7d19e3e75632fa03826b6da922ba04c308283c5ce8110a5e456

  • SHA512

    c4f940da4718db06296602b6166494319d1a17451979b1f78afb03515171de8201d06284c613f0e3d67ee0c92da85ec2c3a92b07af42233e0cbbfca69d78e44a

  • SSDEEP

    196608:XL29VjA1HeT39IigNauDXURuA9SEXK4Ag:7mO1+TtIiLuARuAU8K4Ag

Score
10/10
babylonratmodiloaderbootkitpersistencepyinstallertrojanupx

Malware Config

Targets

    • Target

      Lunar.exe

    • Size

      7.9MB

    • MD5

      17245a2f10932f0f89ec975b9b5f9c3b

    • SHA1

      929e3262812dd262b4f3faae2c380681a4f15cae

    • SHA256

      2d952fedf846b7d19e3e75632fa03826b6da922ba04c308283c5ce8110a5e456

    • SHA512

      c4f940da4718db06296602b6166494319d1a17451979b1f78afb03515171de8201d06284c613f0e3d67ee0c92da85ec2c3a92b07af42233e0cbbfca69d78e44a

    • SSDEEP

      196608:XL29VjA1HeT39IigNauDXURuA9SEXK4Ag:7mO1+TtIiLuARuAU8K4Ag

    Score
    7/10

    • Loads dropped DLL

    behavioral1

    • Target

      troll.pyc

    • Size

      2KB

    • MD5

      f4c02d1f0a86849a1d6cdc0f996036d1

    • SHA1

      0eedd3a627bee8d321553f5d97978216490af2e5

    • SHA256

      a0a969ae358d472a5245fda0cccd062fd6a21e431356da6f6f8b55ccdd7982f8

    • SHA512

      dc11a264125f21932a95f67c89766cdfe8aaa96c027181a8901b58e11c1831332d487317af967786f13ed0a1939128522626cfe3476010b2d18bb4060b7f31be

    Score
    10/10
    babylonratmodiloaderbootkitpersistencetrojanupx

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks