General
-
Target
lNV-9088759885958.Tar
-
Size
1003KB
-
Sample
240621-cfdk1avhre
-
MD5
e40773fcb9c48c40a38578220ffad140
-
SHA1
4f162d2ef9e1be68ea845de0c6a5aef4bdd97524
-
SHA256
15fbc15da76ace6c3fb6a74a327e2b9a76d45b4144cc95b3efd336c367700fbd
-
SHA512
75bbff01e8c1f24cb932f46a2cc9b965db5807cc69ef2c6e6603a539020034972bcf39bc0b33def4829dcbd46964cd1593540fe480e80e5e488ac518fa585bc3
-
SSDEEP
24576:2d3rHrt48eqIW6FiPoLNzf8wufNT/FkTIZ1IsLHiu:03nt480WqGuBFulRkTc11Hiu
Static task
static1
Behavioral task
behavioral1
Sample
lNV-9088759885958.cmd
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
lNV-9088759885958.cmd
Resource
win10v2004-20240611-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.suryaberkatindonesia.com - Port:
587 - Username:
[email protected] - Password:
suryaber123
Targets
-
-
Target
lNV-9088759885958.cmd
-
Size
4.1MB
-
MD5
75a6cb4a92d02ef6c1bf0e5088190cb9
-
SHA1
e99ebb72703971edc6e73f50b03b833fbbe0dde7
-
SHA256
5c65588d938a6d29b783795576286474107a7989112326cccbecdbdc433f41f3
-
SHA512
298ec5450835768029318bfb045de38b501eeb41c74e98d4c569da38ca2768fe026b9febc968508857fc9bfcdd3ac6cb4d8c640cdc2631d989e865bc4a2b2af2
-
SSDEEP
49152:50zbEfxlWCpt6Tz5d1ej30RxqEc0Z6oJYLmNfLIewZTJN6666Iuq66fKID6+6I6h:r
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-