Overview

overview

10

Static

static

1

PO_0908-09....C.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO_0908-0989989_RoyalInternationalConstructionL.L.C.cmd

  • Size

    4.4MB

  • Sample

    250402-hvnbmswks8

  • MD5

    4ccd9114110e590192b6ac291a44aa04

  • SHA1

    82a21588f918e98c1624a80cc45a75984a1cdebc

  • SHA256

    4d0f4d4b0c4be9677d69985483ef77988e997c47457b26a16609fcc89bad5242

  • SHA512

    e0727284c96501044d1d881a03d6e58f0e020656e444a630e9edeef6e68934c243564d48394578a7ff89354771078245d5f3a22f4bdfa1b9e941fe27fad9ab36

  • SSDEEP

    49152:JOZm8FVOULlD5339WohAl04mmVC5zVdcwn/eBoKzBHNsARFiB:E

Score
10/10
modiloadercollectioncredential_accessdiscoveryexecutionstealertrojan

Malware Config

Targets

    • Target

      PO_0908-0989989_RoyalInternationalConstructionL.L.C.cmd

    • Size

      4.4MB

    • MD5

      4ccd9114110e590192b6ac291a44aa04

    • SHA1

      82a21588f918e98c1624a80cc45a75984a1cdebc

    • SHA256

      4d0f4d4b0c4be9677d69985483ef77988e997c47457b26a16609fcc89bad5242

    • SHA512

      e0727284c96501044d1d881a03d6e58f0e020656e444a630e9edeef6e68934c243564d48394578a7ff89354771078245d5f3a22f4bdfa1b9e941fe27fad9ab36

    • SSDEEP

      49152:JOZm8FVOULlD5339WohAl04mmVC5zVdcwn/eBoKzBHNsARFiB:E

    Score
    10/10
    modiloadercollectioncredential_accessdiscoveryexecutionstealertrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • ModiLoader Second Stage

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Authentication Process

1
T1556

Credential Access

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Discovery

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks