Malware Analysis Report

2024-11-15 08:03

Sample ID 241110-sdfkksyfqk
Target 8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
SHA256 8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
Tags
305419896 modiloader zeppelin cobaltstrike njrat revengerat xred zloader discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51

Threat Level: Known bad

The file 8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51 was found to be: Known bad.

Malicious Activity Summary

305419896 modiloader zeppelin cobaltstrike njrat revengerat xred zloader discovery

Xred family

ModiLoader Second Stage

Modiloader family

Cobaltstrike family

Detects Zeppelin payload

Zloader family

Zeppelin family

Revengerat family

Njrat family

AutoIT Executable

Unsigned PE

System Location Discovery: System Language Discovery

NSIS installer

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 15:01

Signatures

Cobaltstrike family

cobaltstrike

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Njrat family

njrat

Revengerat family

revengerat

Xred family

xred

Zeppelin family

zeppelin

Zloader family

zloader

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 15:00

Reported

2024-11-10 15:04

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe

"C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 15:00

Reported

2024-11-10 15:04

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe

"C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

N/A