General
-
Target
tmpapw1h1a2
-
Size
75KB
-
Sample
250118-qrse7avrgp
-
MD5
0e7a4e127728e1e48a95c1928606c0af
-
SHA1
ec2a102bdda50542f50d4f64f71c48bb9ffea693
-
SHA256
6f11bddb792856673d09d12e15662d70fa98d16da50d28b21aba4873b6c75fc9
-
SHA512
7edc1f22041efb93b28e8bfcf9762d3b623f85f43e0bbec32353156e536551be8484394ee8250c3844099ae73bba664acd780c71efa5cc3c3b0748b5539b9c2a
-
SSDEEP
1536:d4bv2j4YkkT/O1Kr426/wtN7NctHKfTKPG4vWl/Mf9ZViM59gp/:SbqoL1C4ytNMqfmPGd69/C5
Malware Config
Targets
-
-
Target
tmpapw1h1a2
-
Size
75KB
-
MD5
0e7a4e127728e1e48a95c1928606c0af
-
SHA1
ec2a102bdda50542f50d4f64f71c48bb9ffea693
-
SHA256
6f11bddb792856673d09d12e15662d70fa98d16da50d28b21aba4873b6c75fc9
-
SHA512
7edc1f22041efb93b28e8bfcf9762d3b623f85f43e0bbec32353156e536551be8484394ee8250c3844099ae73bba664acd780c71efa5cc3c3b0748b5539b9c2a
-
SSDEEP
1536:d4bv2j4YkkT/O1Kr426/wtN7NctHKfTKPG4vWl/Mf9ZViM59gp/:SbqoL1C4ytNMqfmPGd69/C5
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Window
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2