modiloader | 4c77f00fc7d1b712acbfe44697e36ed638465da6de7dcbef3bb59056358cffc5 | Triage

Submit
Reports

Overview

overview

Static

static

Payment_Co...1.xlsx

windows7_x64

Payment_Co...1.xlsx

windows10_x64

1

Sharing

General

Target

Payment_Confirmation_1.xlsx
Size

1.2MB
Sample

210819-fs5ljrd5j6
MD5

dc861bd05a3e4424f31186fb19c7a2f1
SHA1

0dc660e9a05ff7049f08a052cd7883a7d776f266
SHA256

4c77f00fc7d1b712acbfe44697e36ed638465da6de7dcbef3bb59056358cffc5
SHA512

e490c0d01b8892f7e921fee73024cfbca62bca621e6cc7a6f0e8a4fb80a0e0285a4931e9077ee9a796832c0ffcca05aac185465828d0788a9be7cc84064c822d

Score

10^/10

modiloader xloader 6mam loader persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Payment_Confirmation_1.xlsx

Resource

win7v20210410

modiloader xloader 6mam loader persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Payment_Confirmation_1.xlsx

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

6mam

C2

http://www.mobiessence.com/6mam/

Decoy

gxduoke.com

lawmetricssolicitors.com

e-bizbox.com

ilovemehoodie.com

marcuslafond.com

bransolute.com

kuppers.info

kykyryky.art

vavasoo.com

tlamj.com

besport24.com

hibachiexpressnctogo.com

elglink99.com

maximos.world

uniamaa.com

aladinfarma.com

opticatervisof.com

delhibudokankarate.com

juliekifyukstyle.com

fuzhourexian.com

qvcrx.com

trendyheld.com

hanasugisaki.com

mylifeinpark.com

importexportasia.com

paypalticket5396173.info

threatprotection.net

mayartpaints.com

miamiqueensdress.com

designtomade.com

apacshift.support

candlewooddmc.com

riveraitc.com

adenxsdesign.com

fanbase.fan

beastninjas.com

shkanghong.com

f9fui8.xyz

bgpetty.com

ryderevanrobisonstudio.com

dragonshipping.com

schoolfrontoffice.com

mypursuitpodcast.com

moneyfollowsaction.com

blueline-productions.co.uk

munnarorganics.com

bagyat.com

scientiaxliv.com

genesysshop.com

freehypnosisevent.com

amazebrowser.com

coicplat.com

annettebrownlee.com

hangrylocal.com

titanusedcarsworth.com

geekotronic.com

microwgreens.com

cannamalism.com

at-academy.com

envirotechpropertiesltd.com

ramseybusinessinstitute.info

sublos.com

kilbyrnefarm.com

expressnailsspa.com

Targets

- Target
  
  Payment_Confirmation_1.xlsx
- Size
  
  1.2MB
- MD5
  
  dc861bd05a3e4424f31186fb19c7a2f1
- SHA1
  
  0dc660e9a05ff7049f08a052cd7883a7d776f266
- SHA256
  
  4c77f00fc7d1b712acbfe44697e36ed638465da6de7dcbef3bb59056358cffc5
- SHA512
  
  e490c0d01b8892f7e921fee73024cfbca62bca621e6cc7a6f0e8a4fb80a0e0285a4931e9077ee9a796832c0ffcca05aac185465828d0788a9be7cc84064c822d
Score

10^/10

modiloader xloader 6mam loader persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderxloader6mamloaderpersistencerattrojan

behavioral2

© 2018-2024

Terms | Privacy