modiloader | 4411b4a05f3bc654dc86eba66de02e9a20751357b57a411468eee55cf3c879ec | Triage

Submit
Reports

Overview

overview

Static

static

FX-Transfer-Form.xlsx

windows7_x64

FX-Transfer-Form.xlsx

windows10_x64

1

Sharing

General

Target

FX-Transfer-Form.xlsx
Size

1.5MB
Sample

210806-fwsmrzbq1a
MD5

31b142cebbf97b880ead6a2dc3f415e2
SHA1

b8b33c7492e0c6a25b2677f1126663d06a91fc2c
SHA256

4411b4a05f3bc654dc86eba66de02e9a20751357b57a411468eee55cf3c879ec
SHA512

0d4863b7184165fffa02a6bf10a5c157ed8246774cc5da7d9013d8bf448df123abaedbdf2260913b64ca52804190472fbabc483ccffc1b3cc485010d7234e325

Score

10^/10

modiloader xloader 6mam loader persistence rat suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

FX-Transfer-Form.xlsx

Resource

win7v20210408

modiloader xloader 6mam loader persistence rat suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

FX-Transfer-Form.xlsx

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

6mam

C2

http://www.mobiessence.com/6mam/

Decoy

gxduoke.com

lawmetricssolicitors.com

e-bizbox.com

ilovemehoodie.com

marcuslafond.com

bransolute.com

kuppers.info

kykyryky.art

vavasoo.com

tlamj.com

besport24.com

hibachiexpressnctogo.com

elglink99.com

maximos.world

uniamaa.com

aladinfarma.com

opticatervisof.com

delhibudokankarate.com

juliekifyukstyle.com

fuzhourexian.com

qvcrx.com

trendyheld.com

hanasugisaki.com

mylifeinpark.com

importexportasia.com

paypalticket5396173.info

threatprotection.net

mayartpaints.com

miamiqueensdress.com

designtomade.com

apacshift.support

candlewooddmc.com

riveraitc.com

adenxsdesign.com

fanbase.fan

beastninjas.com

shkanghong.com

f9fui8.xyz

bgpetty.com

ryderevanrobisonstudio.com

dragonshipping.com

schoolfrontoffice.com

mypursuitpodcast.com

moneyfollowsaction.com

blueline-productions.co.uk

munnarorganics.com

bagyat.com

scientiaxliv.com

genesysshop.com

freehypnosisevent.com

amazebrowser.com

coicplat.com

annettebrownlee.com

hangrylocal.com

titanusedcarsworth.com

geekotronic.com

microwgreens.com

cannamalism.com

at-academy.com

envirotechpropertiesltd.com

ramseybusinessinstitute.info

sublos.com

kilbyrnefarm.com

expressnailsspa.com

Targets

- Target
  
  FX-Transfer-Form.xlsx
- Size
  
  1.5MB
- MD5
  
  31b142cebbf97b880ead6a2dc3f415e2
- SHA1
  
  b8b33c7492e0c6a25b2677f1126663d06a91fc2c
- SHA256
  
  4411b4a05f3bc654dc86eba66de02e9a20751357b57a411468eee55cf3c879ec
- SHA512
  
  0d4863b7184165fffa02a6bf10a5c157ed8246774cc5da7d9013d8bf448df123abaedbdf2260913b64ca52804190472fbabc483ccffc1b3cc485010d7234e325
Score

10^/10

modiloader xloader 6mam loader persistence rat suricata trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderxloader6mamloaderpersistenceratsuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy