modiloader | 5a116045f9e40be64ae46a63626844ed4dcc5a921485b681ebdbd217664e1342

General

Target

tmp
Size

936KB
Sample

220428-x66dxsbhep
MD5

15c6da72eb32ee1b8ea97d4320a39dff
SHA1

0033e3c5bf6d98124f273a68e3b0da9d12ea56c0
SHA256

5a116045f9e40be64ae46a63626844ed4dcc5a921485b681ebdbd217664e1342
SHA512

a3c5a3560e0fc07ce5b0d30247bda41eb71ec17b2423f586735262055d9e45c3d7421b714931935eae23aba0f273ce7e686cf595d22563052a4c6bb8ac3ff990

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

a2c8

Decoy

sethdukes.online

hustl-hk.com

alienspacebabes.com

yitongbag.com

adlichoob.com

wejust5.com

wwwsnapfinancial.com

patriotcapitalgroupllc.com

divaconnectionbuild.com

adventureventures.net

jaromer.net

closureservices.com

sdc-english.com

fleet-lab.com

gtgits.com

clinicaorion.com

deleaderainfluenceur.com

honghuamach.net

638661.com

sleepgenies.info

Targets

- Target
  
  tmp
- Size
  
  936KB
- MD5
  
  15c6da72eb32ee1b8ea97d4320a39dff
- SHA1
  
  0033e3c5bf6d98124f273a68e3b0da9d12ea56c0
- SHA256
  
  5a116045f9e40be64ae46a63626844ed4dcc5a921485b681ebdbd217664e1342
- SHA512
  
  a3c5a3560e0fc07ce5b0d30247bda41eb71ec17b2423f586735262055d9e45c3d7421b714931935eae23aba0f273ce7e686cf595d22563052a4c6bb8ac3ff990
Score

10^/10

modiloader xloader a2c8 loader persistence rat suricata trojan spyware stealer
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- ModiLoader Second Stage
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

ModiLoader Second Stage

Xloader Payload

Adds policy Run key to start application

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2