Overview

overview

10

Static

static

1

09544353425756.exe

windows7-x64

10

09544353425756.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ab3546128bf2fbb96f21a553059b1537.bin

  • Size

    336KB

  • Sample

    230301-b1r4fsea69

  • MD5

    02da1eab1ea9c5c4c82b7ddc3ff099f4

  • SHA1

    7aa078b538e56aa9c447783dc9f516cbb460b9c7

  • SHA256

    80497ff7af74434c77dd016e0cac2e88b861bfa5aa166b16dfb3d27a9d2567ac

  • SHA512

    e2d4dabda141273f71b5410d2cafaf11f6d74c8012a48b8247b8da3eca23f1c7e7db9e7be55c661d25b829d6f1a87d68c71cbc57153a10472bd6c0d20d0521ca

  • SSDEEP

    6144:hH4kuDRGR1qYXjOCiOf+dNQBqcH96c9gSiLccFTlM4q1IONA:hYkSRKqwCvOUNQccH966PioWJnqaOy

Score
10/10
modiloaderxloaderuj3cloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

    • Target

      09544353425756.exe

    • Size

      771KB

    • MD5

      cec36e0796a2cbb1fbc62a0da6f109bb

    • SHA1

      1564c76aa35fb9668428fd9fdec8b60bd61596b5

    • SHA256

      60e62d5459b1971893914ca21242c08a31cdc2dcdeed79e92c0b594e43bf8ec5

    • SHA512

      76df43d7cc966ed43fb02ee1ebb9967c916f5e5d3c6c659a2840945e1e30df4dbdad151ac7c6e944660437045ea8a0bccfb917d378be6ed5df817bf753d96e1d

    • SSDEEP

      12288:Pr5Nxzs78p/cJCzQkgtr80XGjObPkOOfIiteSmF0Z/:PFvzs7bJWbgtopibPkOOnm0

    Score
    10/10
    modiloadertrojanxloaderuj3cloaderpersistenceratspywarestealer

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • ModiLoader Second Stage

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks