Resubmissions

15-05-2024 11:44

240515-nwlgbsfg5x 10

15-05-2024 11:44

240515-nwcjesga39 1

General

  • Target

    doc023561361500.cmd

  • Size

    4.9MB

  • Sample

    240515-nwlgbsfg5x

  • MD5

    d05bed0572c3ce597f3b4be7a2606c08

  • SHA1

    f621468b397308f1055afaf2f27814a390eb16ea

  • SHA256

    e84dd67c7831168c1d7a0f11a78d1e0497eb1cfa8689b25b291ee4b1b96826a4

  • SHA512

    4fbe7a932d91882491648b489ec1e2c349ec71423c071e3f751c130e51ae62881473a9feaf3d842c60ed2fb6922b59f0b611491145e84b07e7145efb0ca7ec79

  • SSDEEP

    24576:sYkuWvLHtSs/yfVZIC5z65HTGq42xfcJele9P2dxBJGhRC8Ih:sYkuWTcDXB65HPxfhleljIh

Malware Config

Targets

    • Target

      doc023561361500.cmd

    • Size

      4.9MB

    • MD5

      d05bed0572c3ce597f3b4be7a2606c08

    • SHA1

      f621468b397308f1055afaf2f27814a390eb16ea

    • SHA256

      e84dd67c7831168c1d7a0f11a78d1e0497eb1cfa8689b25b291ee4b1b96826a4

    • SHA512

      4fbe7a932d91882491648b489ec1e2c349ec71423c071e3f751c130e51ae62881473a9feaf3d842c60ed2fb6922b59f0b611491145e84b07e7145efb0ca7ec79

    • SSDEEP

      24576:sYkuWvLHtSs/yfVZIC5z65HTGq42xfcJele9P2dxBJGhRC8Ih:sYkuWTcDXB65HPxfhleljIh

    • Detect ZGRat V1

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

4
T1005

Tasks