General
-
Target
RFQ(PO1,2AN3)002088UTH-PDF.exe
-
Size
1.1MB
-
Sample
240513-va38ksee2x
-
MD5
3958dafe982242ba8f1f7e7e825ec4a2
-
SHA1
39a4d7bae94362f847e27a74d6bdde9e67156151
-
SHA256
efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f
-
SHA512
84dc7972a23def2db184688e22a7d2a32b0aa574b521e63d180485eac38d154ed67c745b15e55de01990b009248316e05a118ed7d67b84024d890bf0e2664458
-
SSDEEP
24576:CA0ReRHP4+ngiPzZPQgBt9o/1bIhTmOLp:CUd+gBWbIhaO9
Static task
static1
Behavioral task
behavioral1
Sample
RFQ(PO1,2AN3)002088UTH-PDF.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
RFQ(PO1,2AN3)002088UTH-PDF.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.flowja.com - Port:
587 - Username:
[email protected] - Password:
526242227
Targets
-
-
Target
RFQ(PO1,2AN3)002088UTH-PDF.exe
-
Size
1.1MB
-
MD5
3958dafe982242ba8f1f7e7e825ec4a2
-
SHA1
39a4d7bae94362f847e27a74d6bdde9e67156151
-
SHA256
efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f
-
SHA512
84dc7972a23def2db184688e22a7d2a32b0aa574b521e63d180485eac38d154ed67c745b15e55de01990b009248316e05a118ed7d67b84024d890bf0e2664458
-
SSDEEP
24576:CA0ReRHP4+ngiPzZPQgBt9o/1bIhTmOLp:CUd+gBWbIhaO9
-
Detect ZGRat V1
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1