Overview

overview

10

Static

static

3

Nerestpc/NerestPC.exe

windows11-21h2-x64

10

Nerestpc/bin/Adb.dll

windows11-21h2-x64

1

Nerestpc/b...pi.dll

windows11-21h2-x64

3

Nerestpc/b...pi.dll

windows11-21h2-x64

3

Nerestpc/bin/adb.exe

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nerestpc.zip

  • Size

    12.4MB

  • Sample

    250326-q9acbsyjt3

  • MD5

    593fdee60bf2a345b2b0dfead72796cc

  • SHA1

    3949f39000a87810f638ec0672a440b6438e1928

  • SHA256

    1e61208319c73ce6b35383566c4657dafacbceaddc0b5da7edab1ebc7ce675c6

  • SHA512

    f94a23516184c5e595970bf296e9712308b71673d815c8474d3261bed211c6b5fb02f99bce6b608c29fe324f6695fe6b5a70418211bb80c8a012afa978ec950d

  • SSDEEP

    196608:2iDrvawoBKuJuPbyesL82GnqBjVs8NvHhBMv8tVUt8F5TTdl/2bSG3tWwEa4l4:5oBYbyb8pnqBVLvHhJUt8zPPG8ll4

Score
10/10
modiloaderramnitbankerdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealertrojanupxworm

Malware Config

Targets

    • Target

      Nerestpc/NerestPC.exe

    • Size

      9.0MB

    • MD5

      145be6a19eae5c15f0f585a2f323e3d8

    • SHA1

      4fe360bd989af506a349e78f181cffad0fdf63e1

    • SHA256

      ee106efb13a2c8e570ae1965f3e6ebf25e76296e5bd311d90dff3f78aaab42a0

    • SHA512

      8261499422e8d4d2f6b28bf31b13a63ad4cd8ead089b19bdf3fa14d0deb48a6629e289546f36b80b5bbc4c694434d7c5f4c3bcda6ea6ae589b7cecef90d01946

    • SSDEEP

      196608:xaaKLgaeBMV1x2g5vrPnsvaH7ATG/3lVr99W7SONlmsQd4to:xangTBMfxXvrPdATGvRLOcyto

    Score
    10/10
    modiloaderramnitbankerdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealertrojanupxworm

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • Modiloader family

      modiloader

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Ramnit family

      ramnit

    • ModiLoader Second Stage

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      Nerestpc/bin/Adb.dll

    • Size

      1.3MB

    • MD5

      8818f197cf07662ecc70ae87d77464dd

    • SHA1

      9c3dde439297509b67e56cd9568bd0628ec71d17

    • SHA256

      e8f5a1c3c2f92d861fa868079f80a924be305dd0922a3c023485c9a1291c46fe

    • SHA512

      f07700c7bf954a0f2617e7b3159355bac1f6530b4fcfe62628135f01be70945c8added3b50cab076cb76c0be4387a5b668f6bdc716073a044fff93afa2d01a26

    • SSDEEP

      24576:gctQm1HzhITMNr1/xyDP9UfxD9tRtGHaYwAiuIcHNtFpPNJcqO1vB:gctQm1lnNrZYP4xD9ftIaYwazDJ

    Score
    1/10
    behavioral2

    • Target

      Nerestpc/bin/AdbWinApi.dll

    • Size

      105KB

    • MD5

      73030f38c867f5a7bd6ee331203f3d7a

    • SHA1

      3e71b43c9b25af29bb4b8f455c176c5e89404567

    • SHA256

      9ffacedc41b2752075571e1a474ff50c5dcbe1f64db56db24aaec78aea1126df

    • SHA512

      492988fc89ae61e3af4904c0f593fbc4703293a915901ff98824cdcc77a7ac695faee8e1da56c66e3e2591216234a609841fb2393ce1dd2aeb91014952c6a297

    • SSDEEP

      1536:2wqdq+3pvspmLh8SCykrpTG7kfGHuNezq02XJqo+iFi1yCPP7r3PxUU:2wqD3L8Tezq0et+ui1y6vxr

    Score
    3/10
    discovery
    behavioral3

    • Target

      Nerestpc/bin/AdbWinUsbApi.dll

    • Size

      71KB

    • MD5

      f67d9ec28d19316754d7ecb0e990197d

    • SHA1

      a82ba3ad1a0749dd91eaac34dced3622d10dba54

    • SHA256

      13918fdab0c3ac77d077453a6036247cfeca10910aec845f188c41148c630bb2

    • SHA512

      abd80e386ce282bbb4727c7bd795d7bb0046fecfe65b005c98609f18b341606166187e951a5beacb5112726eab28bf9b75b383cb55ca9d0303b286389fd25022

    • SSDEEP

      1536:q72doFmOiHizFbPlspcsbj5ZsP+YeTs1pH7tsPxHt:qSSfN9+YeTs1pHJcxN

    Score
    3/10
    discovery
    behavioral4

    • Target

      Nerestpc/bin/adb.exe

    • Size

      5.6MB

    • MD5

      f1f479bba21298e758fc22d8d98f8e48

    • SHA1

      2f7ef0bf7a9ca33da621ba29794ae9c8c95c0bca

    • SHA256

      705ddc21f33ac52105d1b075b019962ad0e44fb3d560bde69ce8cb3a36bca183

    • SHA512

      3b491cd07e1e05e14fcec13956e8c023a4f2bbcb9459f3965868a00e33bc4d7e258ac645da9f1b5ca6f9d9a757b879d696ab95800a03240b37aa42265d4e914f

    • SSDEEP

      49152:p1bbBWmqcEr5DV0uLC5sakvVgieBn5BzPZjdZYvM+ojzJLF+vW6Daa55pXxNh9Vm:hgV5mkvt6NzZYU+iWz5iXGTailRRQd

    Score
    3/10
    discovery
    behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Safe Mode Boot

1
T1562.009

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks