modiloader | 1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254

Resubmissions

11-04-2024 15:50

240411-tacvysaa6y 10

11-04-2024 14:37

240411-ry8lesde42 10

09-04-2024 17:30

240409-v3hscaha8y 10

08-01-2024 17:24

240108-vy3xqaecgj 10

Sharing

Copy URL

Twitter E-mail

General

Target

fatalerror.exe
Size

19.9MB
Sample

240409-v3hscaha8y
MD5

62df3bbc2aaeddab1942f1ed0b2db429
SHA1

a31b35f778fa5bec3a09b215db38d891fa45510d
SHA256

1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254
SHA512

6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd
SSDEEP

393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TcK6iKFmjhETcMYi

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/RqgnZ1zk

aes.plain

Extracted

Family

xworm

tr1.localto.net:39186

Attributes

Install_directory
%ProgramData%
install_file
Microsoft Storge.exe

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

xtremerat

antonioxx.no-ip.org

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  fatalerror.exe
- Size
  
  19.9MB
- MD5
  
  62df3bbc2aaeddab1942f1ed0b2db429
- SHA1
  
  a31b35f778fa5bec3a09b215db38d891fa45510d
- SHA256
  
  1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254
- SHA512
  
  6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd
- SSDEEP
  
  393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc
Score

10^/10

modiloader sality smokeloader wannacry xtremerat xworm zgrat backdoor discovery evasion persistence ransomware rat spyware trojan upx worm
- Detect XtremeRAT payload
- Detect Xworm Payload
- Detect ZGRat V1
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- ModiLoader Second Stage
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1