modiloader | 5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786

General

Target

5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786
Size

520KB
Sample

220725-tetdhahchr
MD5

8717d55dac4f12cf84a3b349bdd9823c
SHA1

6281203d0ed33f80dd9f0a18e1a65d271d8213da
SHA256

5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786
SHA512

5f5b6fab98c389563618f274e7985111221965889a034576c570262063d619d5bcb2dab77a26f9f136c620ba1e965f6a6b13748ff8b81d07555a2f4d80cfaabe

Score

10^/10

Malware Config

Extracted

Family

netwire

C2

superserver100.hopto.org:8973

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786
- Size
  
  520KB
- MD5
  
  8717d55dac4f12cf84a3b349bdd9823c
- SHA1
  
  6281203d0ed33f80dd9f0a18e1a65d271d8213da
- SHA256
  
  5576a672ade73b26e1d758c027a867333987d3d2416ed9a726180fb4227a2786
- SHA512
  
  5f5b6fab98c389563618f274e7985111221965889a034576c570262063d619d5bcb2dab77a26f9f136c620ba1e965f6a6b13748ff8b81d07555a2f4d80cfaabe
Score

10^/10

modiloader netwire botnet persistence rat stealer trojan upx
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ModiLoader Second Stage
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

NetWire RAT payload

Netwire

ModiLoader Second Stage

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2