modiloader | 6af07885c117845bc153bb846c14f6a0694d86d488458a1d8c1f7d93675aaadf

General

Target

7980226125.zip
Size

451KB
Sample

220907-2bc64saddq
MD5

38a12d2c488eeebaed0f30a0fdddffeb
SHA1

5629c34b7a782965f92b3bc598907901e0fd31a3
SHA256

6af07885c117845bc153bb846c14f6a0694d86d488458a1d8c1f7d93675aaadf
SHA512

a637e399f82765dcedefcc3056bfe5e6838b06302536cb0f3c38900812ea361e51e696b8f2c6600fe13c54e4ae6b8ad54e91a46c796436da4c6b0cd29cc2fe36
SSDEEP

12288:4wjv7ztCNgRLZ6ocO+oA3vxh7lBOJZajp7rvV8tGfd8:tTygT/uvxpukhMGfC

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euv4

Decoy

anniebapartments.com

hagenbicycles.com

herbalist101.com

southerncorrosion.net

kuechenpruefer.com

tajniezdrzi.quest

segurofunerarioar.com

boardsandbeamsdecor.com

alifdanismanlik.com

pkem.top

mddc.clinic

handejqr.com

crux-at.com

awp.email

hugsforbubbs.com

cielotherepy.com

turkcuyuz.com

teamidc.com

lankasirinspa.com

68135.online

Targets

- Target
  
  Dospjela faktura.exe
- Size
  
  885KB
- MD5
  
  e128d5970cc2d13408916706d4191d55
- SHA1
  
  3405ca7211ed488ee29143783cc98ff91c78efb2
- SHA256
  
  f7dfefe374452d90bc99631bdd38de65f37ff3aefabaeb525aa2b3d97c6680b5
- SHA512
  
  f0d4424a75512e95d7934e8c643ac7807fec678e72c4593c62afc90fd22f9220462b27c1f0a23d27c2c0e4c80b17c15c334782c4aa1ebb7b951316b906584e56
- SSDEEP
  
  12288:+dvSgikKHSXrFGZ/1nPaPih+gTiwCAI5T7grmN7vwui44YXas4E+Jymf7fv:+dkDSXrAzaNaizeaNydYXas4E+Dv
Score

10^/10

modiloader xloader euv4 loader persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Xloader payload

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2