modiloader | 109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5

General

Target

vadesi gecmis fatura.exe
Size

824KB
Sample

221201-tpzchaac9w
MD5

4575f347077760e1257159f74291fad0
SHA1

d65c9fa35db54403c42b2731f6c616317eb23b78
SHA256

109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5
SHA512

d238fead3b0efa0c6140f587b1d9ff9a9b7298189d6153a3d53aaeaa95b440807e9871ed60706e85c5f396f272ce6ab548184a0ba64c9f8e7b04300fed96936e
SSDEEP

12288:88xW3p8fe9EgNBWWJXVy20V0abqYU3K4j2X2Er5OxG2:8xCfe9EmLJlNIF3RXVr0G

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

- Target
  
  vadesi gecmis fatura.exe
- Size
  
  824KB
- MD5
  
  4575f347077760e1257159f74291fad0
- SHA1
  
  d65c9fa35db54403c42b2731f6c616317eb23b78
- SHA256
  
  109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5
- SHA512
  
  d238fead3b0efa0c6140f587b1d9ff9a9b7298189d6153a3d53aaeaa95b440807e9871ed60706e85c5f396f272ce6ab548184a0ba64c9f8e7b04300fed96936e
- SSDEEP
  
  12288:88xW3p8fe9EgNBWWJXVy20V0abqYU3K4j2X2Er5OxG2:8xCfe9EmLJlNIF3RXVr0G
Score

10^/10

modiloader trojan xloader uj3c loader persistence rat spyware stealer
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Xloader payload

Adds policy Run key to start application

Blocklisted process makes network request

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2