General

  • Target

    lNV-9088759885958.Tar

  • Size

    1003KB

  • Sample

    240621-cfdk1avhre

  • MD5

    e40773fcb9c48c40a38578220ffad140

  • SHA1

    4f162d2ef9e1be68ea845de0c6a5aef4bdd97524

  • SHA256

    15fbc15da76ace6c3fb6a74a327e2b9a76d45b4144cc95b3efd336c367700fbd

  • SHA512

    75bbff01e8c1f24cb932f46a2cc9b965db5807cc69ef2c6e6603a539020034972bcf39bc0b33def4829dcbd46964cd1593540fe480e80e5e488ac518fa585bc3

  • SSDEEP

    24576:2d3rHrt48eqIW6FiPoLNzf8wufNT/FkTIZ1IsLHiu:03nt480WqGuBFulRkTc11Hiu

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.suryaberkatindonesia.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    suryaber123

Targets

    • Target

      lNV-9088759885958.cmd

    • Size

      4.1MB

    • MD5

      75a6cb4a92d02ef6c1bf0e5088190cb9

    • SHA1

      e99ebb72703971edc6e73f50b03b833fbbe0dde7

    • SHA256

      5c65588d938a6d29b783795576286474107a7989112326cccbecdbdc433f41f3

    • SHA512

      298ec5450835768029318bfb045de38b501eeb41c74e98d4c569da38ca2768fe026b9febc968508857fc9bfcdd3ac6cb4d8c640cdc2631d989e865bc4a2b2af2

    • SSDEEP

      49152:50zbEfxlWCpt6Tz5d1ej30RxqEc0Z6oJYLmNfLIewZTJN6666Iuq66fKID6+6I6h:r

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • ModiLoader Second Stage

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks