General
-
Target
17012025_0103_ENQ-RET-402-1438-PDF.vbs.rar
-
Size
979KB
-
Sample
250117-befhjaxjfs
-
MD5
c17fa0ca98274451805ba156b1298c8a
-
SHA1
5c060a1d0a8d9a397f556041a4c4c610d94dd031
-
SHA256
5aa08f6cc5ea11d8be87ea133041390dd44d961bad6a0a4b9b2e1ad92399d206
-
SHA512
227114bdd5add2afd601e5680ce0ae8baf82f15b4db6146d6bfec0b1196d3823d97e6140e957158259bf11af4baff334eb4e75a67282684953aa7545a9ce47aa
-
SSDEEP
24576:D1mencwJCAGz2Oi3qy3kWDtojuf00kWP128HwMsRBgdT8:Dpz/M2Oi7kNKs1w1/FsRByT8
Static task
static1
Behavioral task
behavioral1
Sample
END-SPECIFICATION,PDF.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
END-SPECIFICATION,PDF.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ENQ-RET-402-1438,PDF.vbs
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
ENQ-RET-402-1438,PDF.vbs
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
techniqueqatar.com - Port:
587 - Username:
[email protected] - Password:
TechFB2023$$$
Targets
-
-
Target
END-SPECIFICATION,PDF.js
-
Size
1.2MB
-
MD5
a2b6e68b10d47ce2239cba7094c44d6c
-
SHA1
0484c998965c61654de6bd7c0f19d602a43d4710
-
SHA256
441c59f9b21b7030922e2fbe815ac9a9247da921dadbfd5aa8d56aec956382fb
-
SHA512
1a954da6158ff831bd364fddafc974646a88191be3bc8d313a305fe97b7243a1bec957db1cd1f5ee7710d9330822023d2e80a3d538ec8f96df44a043f4d4f074
-
SSDEEP
24576:BhHitPIlN14h1EWUPoNfkljva8wkIvmdHJGHpT86b0avp4kJL7a5ZKCmjLpvn:oR1lUPompvCSdvkw5wh
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
ENQ-RET-402-1438,PDF.vbs
-
Size
1.2MB
-
MD5
a92a052a628a229a76accbff7ee84396
-
SHA1
e8930025f173138403a5c6ff443bff68bf0cfa32
-
SHA256
1eab6be3203ff067848bab4f352281409756fef36927e3f4611ff85504d716ef
-
SHA512
4069b68563417f4856ee9fc01da9b5ee3bcfc8f81262d0e3f75af8ecfbd056baea7310d469aeb937200b966a5e50d638873b6d8a5bc599ef575826c712892656
-
SSDEEP
24576:rhHitPIlN14h1EWUPoNfkljva8wkIvmdHJGHpT86b0avp4kJL7a5ZKCmjLpvr:iR1lUPompvCSdvkw5wl
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1