modiloader | 4abc64c563b11340e0023040be3b9138f275a3c2fda55cfa9b36f70b1216ac79

General

Target

4abc64c563b11340e0023040be3b9138f275a3c2fda55cfa9b36f70b1216ac79
Size

520KB
Sample

220712-pgpqwahgcm
MD5

2298d699156317e16e5e15c1e574642d
SHA1

2fee660488a31556b676b8153c5e472976f021fd
SHA256

4abc64c563b11340e0023040be3b9138f275a3c2fda55cfa9b36f70b1216ac79
SHA512

27759500d9fc47ad4c7dbc5b45fb1a6d15af1adf039bd8600533d5593a0687a52e06c5c6d546aac5f9144d874b5cd1b3bbe5eba18553ff683c839ad39935d9c3

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

missserver1000.hopto.org:8309

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  4abc64c563b11340e0023040be3b9138f275a3c2fda55cfa9b36f70b1216ac79
- Size
  
  520KB
- MD5
  
  2298d699156317e16e5e15c1e574642d
- SHA1
  
  2fee660488a31556b676b8153c5e472976f021fd
- SHA256
  
  4abc64c563b11340e0023040be3b9138f275a3c2fda55cfa9b36f70b1216ac79
- SHA512
  
  27759500d9fc47ad4c7dbc5b45fb1a6d15af1adf039bd8600533d5593a0687a52e06c5c6d546aac5f9144d874b5cd1b3bbe5eba18553ff683c839ad39935d9c3
Score

10^/10

modiloader netwire botnet persistence rat stealer trojan upx
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ModiLoader Second Stage
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

NetWire RAT payload

Netwire

ModiLoader Second Stage

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2