modiloader | eb9fc3569f0d54f3d2fe243c68864a465e779b05857fb435bcca83b54db53bc6

General

Target

26ec8c56bbc594081afcee37dcb2ba4d.bin
Size

475KB
Sample

230512-bpad9sde3s
MD5

bf8f1e2b7eca8c201c802146c2c7002f
SHA1

dc5267c759178a60fc77c72d07e3400747a2b033
SHA256

eb9fc3569f0d54f3d2fe243c68864a465e779b05857fb435bcca83b54db53bc6
SHA512

2b7854900d911ccfd5da0eb48a5bfb6ce5d4c61254510f66c1fea84c7031b690f3362292ef89d583bd95f23b53c2d157c2254018607f03b5dad82589523acc2f
SSDEEP

12288:yS4DwSi7B5aGPEgiZEgNLNioCWvIrrc3U4:yRUV4AoOc3U4

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

- Target
  
  092726376263728.DOC.exe
- Size
  
  798KB
- MD5
  
  fc317530c3a698867861a965caa34bad
- SHA1
  
  2700a38ef604d78793da302664afc7d27bbb0b1c
- SHA256
  
  9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320
- SHA512
  
  f01c04b08d76f7eef6426a129dc39ea1ab60d99c52804b999b4b89c53d6d83f0ad17db311186f899f4924a5bdd38577ef8d803ae909ff700ccb68c66511d3db9
- SSDEEP
  
  12288:TNLhcjoS4FC7ITh3IBPmOt50Pbkttml53kbXJ2zlLj0:T9hcsFCMTaFCKIsbZ2h
Score

10^/10

modiloader trojan xloader uj3c loader persistence rat spyware stealer
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- ModiLoader Second Stage
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Xloader

ModiLoader Second Stage

Xloader payload

Adds policy Run key to start application

Blocklisted process makes network request

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2