modiloader | 6b8fb4d4e872cf97e4e4943a9eee6a6d8175f518c039fdc066caae45b21fc5a8 | Triage

Submit
Reports

Overview

overview

Static

static

PO-A5671.xlsx

windows7_x64

PO-A5671.xlsx

windows10_x64

1

Sharing

General

Target

PO-A5671.xlsx
Size

587KB
Sample

210913-v9ez2ahcdl
MD5

5e3cfa8a71fbefaeedfc0d3dbe9f7c51
SHA1

34bf9b8b6c46cfe5ef624cbded56f2d59e1e59d3
SHA256

6b8fb4d4e872cf97e4e4943a9eee6a6d8175f518c039fdc066caae45b21fc5a8
SHA512

9cd7e84b15743bba2b420b17fdc92b7c9b79fb4ad87ab089313662a640ae080154d351522b82adb4e8d624e48d31594d2c51193ccb5b5ab3368956791bba07f5

Score

10^/10

modiloader xloader ecuu loader persistence rat suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO-A5671.xlsx

Resource

win7v20210408

modiloader xloader ecuu loader persistence rat suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO-A5671.xlsx

Resource

win10-en

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ecuu

C2

http://www.polaritelibrairie.com/ecuu/

Decoy

buoy8boats.com

tomrings.com

o-distribs.com

majesticgroupinc.com

tehridam.com

yzwjtoys.com

castro-online.run

aquarius-twins.com

jamesrrossfineart.com

pavarasupatthonkol.com

rivermarketdentistry.com

gyiblrjd.icu

redcountrypodcast.com

youngbrotherspharmacyga.com

betsysobiech.com

neocleanpro.com

ingpatrimoine.com

mustangsallytransportation.com

jsvfcxzn.com

krsfpjuoekcd.info

cricutcutfiles.club

fjucurta.com

soberrituals.com

mercamoderna.com

empirerack.com

poorwhitetrashlivesmatter.net

the-boardroom-usa.com

boldgroupghana.com

stathotshots.com

workabhaile.com

drgigadvisors.com

tfqvslhlh.club

meo6.com

myreti.com

tasteofourneighborhood.com

manufacturedinjapan.com

listenstech.com

jdcloud-neucampus.com

westgateoptometry.store

sourcefirstconsulting.com

xmasmobitvbuy.com

blackhillsfarmtn.com

georgiaforless.com

enovexcorp.com

nxtelligence.com

emotionalgangster.com

chainsawsparts.com

dplqyz.com

lossaboresdemama.com

805thaifood.com

safeandsoundyachtservices.com

grandparentsandkids.com

catalystdentalallies.com

keplersark.com

desrefuses.com

comerciolimited.com

cotonslife.com

pegasusf.xyz

rocketmortgagedeceit.com

mypartydelivered.com

gvassummit2020.com

thefamilybubble.com

lgjccz.com

donnaquerns.com

Targets

- Target
  
  PO-A5671.xlsx
- Size
  
  587KB
- MD5
  
  5e3cfa8a71fbefaeedfc0d3dbe9f7c51
- SHA1
  
  34bf9b8b6c46cfe5ef624cbded56f2d59e1e59d3
- SHA256
  
  6b8fb4d4e872cf97e4e4943a9eee6a6d8175f518c039fdc066caae45b21fc5a8
- SHA512
  
  9cd7e84b15743bba2b420b17fdc92b7c9b79fb4ad87ab089313662a640ae080154d351522b82adb4e8d624e48d31594d2c51193ccb5b5ab3368956791bba07f5
Score

10^/10

modiloader xloader ecuu loader persistence rat suricata trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Command-Line Interface

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderxloaderecuuloaderpersistenceratsuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy