Overview

overview

10

Static

static

3

7f0fe0f164...58.exe

windows7-x64

10

7f0fe0f164...58.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe

  • Size

    348KB

  • Sample

    241127-pv8e5stmds

  • MD5

    03527c142799c1d689556b147c3437b2

  • SHA1

    5f324fd0cd5f95356e24da4ab4a90b71196113c5

  • SHA256

    7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058

  • SHA512

    3258cda3283f9a9b7186be67ae393bd26c12586f538f2b9b729247745fc969a49a4e02e84065d936fee190882d574b2a1f11bac0bbb80b98ab5c92c2d53b1a65

  • SSDEEP

    6144:VFjL41SWW+Yta+ySQ+GyoCZUdzlEOVciyGCE+riGDAGxZKcJv6Msx/BGbFt:VFjs1SWpY/ySBVoCmdzlEqciy+yiGhZ5

Score
10/10
modiloaderdiscoverypersistencetrojan

Malware Config

Targets

    • Target

      7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe

    • Size

      348KB

    • MD5

      03527c142799c1d689556b147c3437b2

    • SHA1

      5f324fd0cd5f95356e24da4ab4a90b71196113c5

    • SHA256

      7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058

    • SHA512

      3258cda3283f9a9b7186be67ae393bd26c12586f538f2b9b729247745fc969a49a4e02e84065d936fee190882d574b2a1f11bac0bbb80b98ab5c92c2d53b1a65

    • SSDEEP

      6144:VFjL41SWW+Yta+ySQ+GyoCZUdzlEOVciyGCE+riGDAGxZKcJv6Msx/BGbFt:VFjs1SWpY/ySBVoCmdzlEqciy+yiGhZ5

    Score
    10/10
    modiloaderdiscoverypersistencetrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • Modiloader family

      modiloader

    • ModiLoader Second Stage

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks