General
-
Target
Potrditev.tar.zip
-
Size
764KB
-
Sample
240804-wxq27s1hqp
-
MD5
4606821b05a032cc81c57a94e1d950ea
-
SHA1
ed08181d0669ab284206b68f162b9b309449e772
-
SHA256
c37109d5225709d11a36989b91b769d00264f719b98c357f7014fe02ad7dd17e
-
SHA512
ae9d5f7d0fdebfca2cbf5f46323b166f2e3a40fce9d6218db46487f7cb3d93983db49200401875fb245636e6210173dbb6e5c2ba4855fd79c53d1d5fd17c83bd
-
SSDEEP
12288:2PdJ9pyuWvg76lM4WWC/x5qQSTG3Z65fEHyM5HLyXkZwctzLnGDzWxF0ALJV+Ei+:SHvyuWvg76Mx4ep65gJ5HWhctzLnGDzS
Static task
static1
Behavioral task
behavioral1
Sample
Potrditev.cmd
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Potrditev.cmd
Resource
win10v2004-20240802-en
Malware Config
Extracted
lokibot
http://104.248.205.66/index.php/modify.php?edit=1
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Potrditev.cmd
-
Size
2.8MB
-
MD5
306e6e3743666b8f5fedb0127b041883
-
SHA1
53ac1756ee69296be5f5c99ee18b1d1cb70369d4
-
SHA256
20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc
-
SHA512
233d9861fe624b707fe4b89435cf27f1216006e97b97374fa159574d63ca6db351fc2cba454554c82d210ca6f8a4f8be383c6723eab0a54ac1a2e984317804c1
-
SSDEEP
24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrQf3m29Yqk:Rr0jYNi8DrApkpUNLgVDzNVpeIh/c2B
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
ModiLoader Second Stage
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1