modiloader | bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff

General

Target

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff
Size

116KB
Sample

221128-czkhnagh64
MD5

59bfea24f746e49b632f8d51567b5545
SHA1

b1b7d61d5b5b82c1e01adfae5847e4f904736b62
SHA256

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff
SHA512

994d3b35cc17b982a49cf4e3280ec839653094304c1c867cbcfa7a3796ea0e642c54ea6c6d6d476179e2a5f0d542cf32868137eaef311052b541b97c65ea2de6
SSDEEP

3072:sr85CDoalQnROfJyk3JaZ846bu93DwMSRywoW:k9D8er6RSRywoW

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

حموديذ

C2

mohamednjrat111.no-ip.biz:10

Mutex

01336c20ab363000c950f7cbb76e26b7

Attributes

reg_key
01336c20ab363000c950f7cbb76e26b7
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

تلغيم شير جديد

C2

mohamednjrat111.no-ip.biz:11

Mutex

d6915a2360eec64810596fb674521b88

Attributes

reg_key
d6915a2360eec64810596fb674521b88
splitter
|'|'|

Targets

- Target
  
  bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff
- Size
  
  116KB
- MD5
  
  59bfea24f746e49b632f8d51567b5545
- SHA1
  
  b1b7d61d5b5b82c1e01adfae5847e4f904736b62
- SHA256
  
  bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff
- SHA512
  
  994d3b35cc17b982a49cf4e3280ec839653094304c1c867cbcfa7a3796ea0e642c54ea6c6d6d476179e2a5f0d542cf32868137eaef311052b541b97c65ea2de6
- SSDEEP
  
  3072:sr85CDoalQnROfJyk3JaZ846bu93DwMSRywoW:k9D8er6RSRywoW
Score

10^/10

modiloader neshta njrat تلغيم شير جديد حموديذ evasion persistence spyware stealer trojan
- Detect Neshta payload
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- ModiLoader Second Stage
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2