modiloader | 4b2e04f07ddbbc25db9260eac2de0d8ce45488b3a2c80de9c384b1abb014bbbd | Triage

Submit
Reports

Overview

overview

Static

static

PI_55034455.xlsx

windows7_x64

PI_55034455.xlsx

windows10_x64

1

Sharing

General

Target

PI_55034455.xlsx
Size

1.3MB
Sample

210826-q7zh934h42
MD5

b677902aa5e2126451dc6258e35d99f5
SHA1

2325d8d4c12de4fcd6b29c152cf4017983730198
SHA256

4b2e04f07ddbbc25db9260eac2de0d8ce45488b3a2c80de9c384b1abb014bbbd
SHA512

e7b2fb8dad97742f85aa935bcde585d1876c79600804f969c8667c2011250b194fb3dc2b505d444a8210590182b2213ace2c09e5fed7f9e370d955796f0fd8d8

Score

10^/10

modiloader xloader ecuu loader persistence rat suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PI_55034455.xlsx

Resource

win7v20210410

modiloader xloader ecuu loader persistence rat suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PI_55034455.xlsx

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ecuu

C2

http://www.polaritelibrairie.com/ecuu/

Decoy

buoy8boats.com

tomrings.com

o-distribs.com

majesticgroupinc.com

tehridam.com

yzwjtoys.com

castro-online.run

aquarius-twins.com

jamesrrossfineart.com

pavarasupatthonkol.com

rivermarketdentistry.com

gyiblrjd.icu

redcountrypodcast.com

youngbrotherspharmacyga.com

betsysobiech.com

neocleanpro.com

ingpatrimoine.com

mustangsallytransportation.com

jsvfcxzn.com

krsfpjuoekcd.info

cricutcutfiles.club

fjucurta.com

soberrituals.com

mercamoderna.com

empirerack.com

poorwhitetrashlivesmatter.net

the-boardroom-usa.com

boldgroupghana.com

stathotshots.com

workabhaile.com

drgigadvisors.com

tfqvslhlh.club

meo6.com

myreti.com

tasteofourneighborhood.com

manufacturedinjapan.com

listenstech.com

jdcloud-neucampus.com

westgateoptometry.store

sourcefirstconsulting.com

xmasmobitvbuy.com

blackhillsfarmtn.com

georgiaforless.com

enovexcorp.com

nxtelligence.com

emotionalgangster.com

chainsawsparts.com

dplqyz.com

lossaboresdemama.com

805thaifood.com

safeandsoundyachtservices.com

grandparentsandkids.com

catalystdentalallies.com

keplersark.com

desrefuses.com

comerciolimited.com

cotonslife.com

pegasusf.xyz

rocketmortgagedeceit.com

mypartydelivered.com

gvassummit2020.com

thefamilybubble.com

lgjccz.com

donnaquerns.com

Targets

- Target
  
  PI_55034455.xlsx
- Size
  
  1.3MB
- MD5
  
  b677902aa5e2126451dc6258e35d99f5
- SHA1
  
  2325d8d4c12de4fcd6b29c152cf4017983730198
- SHA256
  
  4b2e04f07ddbbc25db9260eac2de0d8ce45488b3a2c80de9c384b1abb014bbbd
- SHA512
  
  e7b2fb8dad97742f85aa935bcde585d1876c79600804f969c8667c2011250b194fb3dc2b505d444a8210590182b2213ace2c09e5fed7f9e370d955796f0fd8d8
Score

10^/10

modiloader xloader ecuu loader persistence rat suricata trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderxloaderecuuloaderpersistenceratsuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy