Managed XDR

018e0011-45a0-d298-ccd8-2b5bbb87854f.eml (Koadic) — malware analysis report

File info

Filename
018e0011-45a0-d298-ccd8-2b5bbb87854f.eml
File type
RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
File size
1.1 MB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
b2ae5db060901ea51fe6ef9df7b3dfea62a7f63f
SHA256
35bb9d13daf9e506e21050d8e53d7b129bd561fef69324ad89568680aa39a383
MD5
9a8c2c9202b35d97a1c3a4bd9201df12

Malwares

  • Koadic

Signatures

Execution

T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1140 unpacking_utilities: Uses Windows utilities to unpack data
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070.004 self_removal_command: Executes command to delete itself

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1518 locates_browser: Attempts to identify where browsers are installed
T1016.001 system_network_configuration_discovery: System network configuration discovery detected

Collection

T1560.001 archive_via_utility: Detected archiving data via utility

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
creates_in_windows: Creates files in the Windows directory
dbatloader_behaviour: DBatLoader/ModiLoader behaviour
process_crashed: One of the processes has failed
no_graphical_activity: No graphic activity
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
suricata_alert: Malicious traffic detected

Related reports