modiloader | b5b601f10aa5bd54485c06f1df7633e51c172d7053b9b437fe693ede43b6d8c4 | Triage

Sharing

General

Target

b5b601f10aa5bd54485c06f1df7633e51c172d7053b9b437fe693ede43b6d8c4
Size

564KB
Sample

221126-r5788sef7y
MD5

75b2c3023380074d90b15874c87686ed
SHA1

26bae5e637df0dcfbdf90a98f267fb35f659b4b8
SHA256

b5b601f10aa5bd54485c06f1df7633e51c172d7053b9b437fe693ede43b6d8c4
SHA512

078a155cbc8a43b3c7a835dc4f58bd5dfa8e8af97d4c5c7c3291fbf9040daf7f267f2624fdec18a6a3d93445c897952d09fb888fe466b9aea3868696edcd3eea
SSDEEP

12288:b5mmlOne/yUCKQkMQ3wvA+gCn2RT2FtI7qjuUpqv2GM39/pb:bEmUKZdCn2gFtzH1GM3lpb

Score

10^/10

modiloader evasion persistence

Malware Config

Targets

- Target
  
  NjRat Attacker.exe
- Size
  
  703KB
- MD5
  
  9936a450d518824463e30cf007020244
- SHA1
  
  14a72c0f04982dcda07a45ade15cf27d1b482ffe
- SHA256
  
  4f8418dc705be19e5d031bf388a698633541b5697f18c935013b011010f840ef
- SHA512
  
  16d0105bcd008000442ab6b61065e56e6c57e3aafde6231baa712c44510083f467ca07c52deca03c4aa42fa71301f955086bda442ae9fd272fcaa4869d7ec7fc
- SSDEEP
  
  12288:IwEjZRYiaqpvzSnGIJWDW4+FCOFehumXluwvRZX7jFjVHkoLic:UZeOvzS3JWDW4YC6ZmX3Z3VVV
Score

8^/10

evasion persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2