Extracted

• • Target

    b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7

  • Size

    6.3MB

  • MD5

    7f66b63ae030d04a43178df57bb78b1a

  • SHA1

    8605715d8de48241315ec8fcfb91a8380f6776c1

  • SHA256

    b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7

  • SHA512

    4a0590a23c10dd257692e1f4497912935556d4e152fe09ecd1eb2531fba0ee80a079c589068315623ff660c8e5c99871d68a4d48fecfc7ed579081c5e77def46

  • SSDEEP

    98304:A1RaZKOTNyQE17hjs+USipFnLSXF9v8CqLoiLwst/IxZsQU3wDkAaXnmkhD:4aZXTLcVs+upF4Lv8CqSstUKQU1lL5

  Score

  10^/10

  modiloaderpersistencetrojanupxxtremeratratspyware

  • Detect XtremeRAT payload

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • ModiLoader Second Stage

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral1behavioral2