Overview

overview

10

Static

static

3

f4f8bdef1f...b8.exe

windows7-x64

10

f4f8bdef1f...b8.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f4f8bdef1fcc6271e430ac06a14e7fb8.exe

  • Size

    408KB

  • Sample

    240925-txjl1sycja

  • MD5

    f4f8bdef1fcc6271e430ac06a14e7fb8

  • SHA1

    ee8717fefe44c90cdd41ff52fd3402a565c3986a

  • SHA256

    b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc

  • SHA512

    601dae6fc4cfc6215aa7ac79d6ad4ca4004d699e576facd03c63a27ef89592739f10b9313b4c2193cc1ad0872d836030208facf1b50a7263a7ba47dccce15478

  • SSDEEP

    6144:IUqmsjhG9pJ8NU8Z1+3iFLs+4MrQLhElL9nZ0p5Vf0Wuk0d4ohXyulBiJ2EE:LajhG9pJmN4e5LIQZ0fVfMHituz02n

Score
10/10
modiloaderdiscoveryevasionexecutionpersistencetrojan

Malware Config

Targets

    • Target

      f4f8bdef1fcc6271e430ac06a14e7fb8.exe

    • Size

      408KB

    • MD5

      f4f8bdef1fcc6271e430ac06a14e7fb8

    • SHA1

      ee8717fefe44c90cdd41ff52fd3402a565c3986a

    • SHA256

      b2e580936468414e204e9da4fd5c0b2b5719c3a6af5bb2796d29e061cfa872cc

    • SHA512

      601dae6fc4cfc6215aa7ac79d6ad4ca4004d699e576facd03c63a27ef89592739f10b9313b4c2193cc1ad0872d836030208facf1b50a7263a7ba47dccce15478

    • SSDEEP

      6144:IUqmsjhG9pJ8NU8Z1+3iFLs+4MrQLhElL9nZ0p5Vf0Wuk0d4ohXyulBiJ2EE:LajhG9pJmN4e5LIQZ0fVfMHituz02n

    Score
    10/10
    modiloaderdiscoveryevasionexecutionpersistencetrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VirtualBox drivers on disk

      evasion

    • ModiLoader Second Stage

    • Adds policy Run key to start application

      persistence

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks