Overview

overview

10

Static

static

3

74bcda5c9a...cs.exe

windows7-x64

10

74bcda5c9a...cs.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

advertising.html

windows7-x64

1

advertising.html

windows10-2004-x64

1

modernizr-...min.js

windows7-x64

3

modernizr-...min.js

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    74bcda5c9a93045fe2417b8f021e5320_NeikiAnalytics.exe

  • Size

    298KB

  • Sample

    240531-dq42dadb5t

  • MD5

    74bcda5c9a93045fe2417b8f021e5320

  • SHA1

    8a2c668bdb42ee9da855c1097f76d991d567e813

  • SHA256

    5c7cf85d5f923da3ecf3699ca8a217ce41ed217bc26294ecadeb53199375f596

  • SHA512

    45081a2661945c4942dec978dc0c5ad242f9b762c173391ec9817296f410028e6fd8fff66f24440aa277bea12b37837785f54ed42b674dbd148b9addfeb48918

  • SSDEEP

    6144:MqaFH+9xuBumDpw4K0q8+xgPcOCDbsv/27YcMClQy1lkYa/KVKugxCundcmSNKn:k54uBf5YgcOC/sv/EYYxH9gCudFSNKn

Score
10/10
modiloaderevasionexecutionpersistencetrojan

Malware Config

Targets

    • Target

      74bcda5c9a93045fe2417b8f021e5320_NeikiAnalytics.exe

    • Size

      298KB

    • MD5

      74bcda5c9a93045fe2417b8f021e5320

    • SHA1

      8a2c668bdb42ee9da855c1097f76d991d567e813

    • SHA256

      5c7cf85d5f923da3ecf3699ca8a217ce41ed217bc26294ecadeb53199375f596

    • SHA512

      45081a2661945c4942dec978dc0c5ad242f9b762c173391ec9817296f410028e6fd8fff66f24440aa277bea12b37837785f54ed42b674dbd148b9addfeb48918

    • SSDEEP

      6144:MqaFH+9xuBumDpw4K0q8+xgPcOCDbsv/27YcMClQy1lkYa/KVKugxCundcmSNKn:k54uBf5YgcOC/sv/EYYxH9gCudFSNKn

    Score
    10/10
    modiloaderevasionpersistencetrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VirtualBox drivers on disk

      evasion

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      ee260c45e97b62a5e42f17460d406068

    • SHA1

      df35f6300a03c4d3d3bd69752574426296b78695

    • SHA256

      e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

    • SHA512

      a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

    • SSDEEP

      192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      477b78e5db22b4e651b6bec39d5c1acf

    • SHA1

      418038f8d4db22471f55206aa8eb372f3f133d0d

    • SHA256

      80d84f6c405f4e7b51d3e0c7c10b06ce60b28a43451bbe0e6e464d5e4783fc35

    • SHA512

      6658a0718a6c15a6f0767d87d604ced9d2f3a1494eb6e44d39507687b9e675a05d026b68a7ef8a311b10863e229a963c8ea6f6efb1d92b0657b32ee836adfe21

    • SSDEEP

      192:oB8cxzvTyl4tgi8pPjQM0PuAg0YNyPIFtSP:oBxzm+t18pZ0WAg0RPIFg

    Score
    3/10
    behavioral5behavioral6

    • Target

      advertising

    • Size

      18KB

    • MD5

      76a9e698aed5a0b37a34b9c8cdf7be65

    • SHA1

      0f925741416d97871e2a81eb85287e343e36d139

    • SHA256

      6419ebc8fd319b4b65209dffda5a5b327e959feafbdab72cfed28dcd86663ec0

    • SHA512

      136291bf0d0ccc678ba4e8ccd6490267061eda0589309b87b9639bde4922adddf4b2d5e2539ec5f7f7254e10a4d1d3b314217eb4434502e7ccf6b5193eb17c0d

    • SSDEEP

      384:b1EuQ0x6gDUC2tuMnCg9CYlCCl8qzbcNKneJIaEBCAmw0me61YVUv1fVvL:b1ESsC2tnxlRCJFj+0m11PTL

    Score
    1/10
    behavioral7behavioral8

    • Target

      modernizr-2.7.1.min.js

    • Size

      15KB

    • MD5

      8b8089b4d7b9075c4e765f2c3ff367b3

    • SHA1

      e01b369cb8b6a30ea3fd77de81862e9981172d01

    • SHA256

      af4e9c979a6be5f608514ac993f5bd0699cd5bd778ab156a300299b2505835a7

    • SHA512

      b97708d362b05ca5e7b55ba338ea67710bc6d3d4a1b355a1e029c4788e0cb1a4639ad53b7014e34b402b5c77ef3afa42e7c6c675fc46c2e880c5a68fb234e847

    • SSDEEP

      384:zEDDjHW599TpJGd+xesmAnx6KQoZRY5y60Hh1pD:zCDUjebAgKr25y60H1

    Score
    3/10
    execution
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3
T1497

Modify Registry

3
T1112

Credential Access

Discovery

Software Discovery

1
T1518

Query Registry

5
T1012

Virtualization/Sandbox Evasion

3
T1497

File and Directory Discovery

1
T1083

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks