General

  • Target

    926a1d29e97f80aa65deb0186c1174d85db2236997e4eba91aac0592ff2c077c

  • Size

    1MB

  • Sample

    220420-ewg98sahe5

  • MD5

    accf119512ef395778488003900d8226

  • SHA1

    ba0eff961e9e43ac35a837dd43fcbab2a554d04b

  • SHA256

    926a1d29e97f80aa65deb0186c1174d85db2236997e4eba91aac0592ff2c077c

  • SHA512

    f9fca6f256884a2544fe1f580c6656296c424bf6947acf8c91235d33571e749f8857683917d2196728b9a5bff7817c39926368c26bdc2aaa40cdaab167bb7005

Malware Config

Extracted

Family

modiloader

C2

https://cdn.discordapp.com/attachments/734633826718056471/771632517647695902/Rebxeee

Targets

    • Target

      926a1d29e97f80aa65deb0186c1174d85db2236997e4eba91aac0592ff2c077c

    • Size

      1MB

    • MD5

      accf119512ef395778488003900d8226

    • SHA1

      ba0eff961e9e43ac35a837dd43fcbab2a554d04b

    • SHA256

      926a1d29e97f80aa65deb0186c1174d85db2236997e4eba91aac0592ff2c077c

    • SHA512

      f9fca6f256884a2544fe1f580c6656296c424bf6947acf8c91235d33571e749f8857683917d2196728b9a5bff7817c39926368c26bdc2aaa40cdaab167bb7005

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • ModiLoader First Stage

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Command and Control

Web Service

1
T1102

Tasks