modiloader | 1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254

Sharing

Copy URL

Twitter E-mail

General

Target

2024-04-13_62df3bbc2aaeddab1942f1ed0b2db429_wannacry
Size

19.9MB
Sample

240414-aa52yseg61
MD5

62df3bbc2aaeddab1942f1ed0b2db429
SHA1

a31b35f778fa5bec3a09b215db38d891fa45510d
SHA256

1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254
SHA512

6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd
SSDEEP

393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TcK6iKFmjhETcMYi

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/RqgnZ1zk

aes.plain

Extracted

Family

xworm

tr1.localto.net:39186

Attributes

Install_directory
%ProgramData%
install_file
Microsoft Storge.exe

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

xtremerat

antonioxx.no-ip.org

Extracted

Family

njrat

Version

im523

Botnet

5.tcp.eu.ngrok.io:13017

Mutex

8b094ade9743639b941a0474f6aa7525

Attributes

reg_key
8b094ade9743639b941a0474f6aa7525
splitter
|'|'|

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Targets

- Target
  
  2024-04-13_62df3bbc2aaeddab1942f1ed0b2db429_wannacry
- Size
  
  19.9MB
- MD5
  
  62df3bbc2aaeddab1942f1ed0b2db429
- SHA1
  
  a31b35f778fa5bec3a09b215db38d891fa45510d
- SHA256
  
  1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254
- SHA512
  
  6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd
- SSDEEP
  
  393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc
Score

10^/10

modiloader njrat sality smokeloader xtremerat xworm gg backdoor evasion persistence rat spyware trojan upx
- Detect XtremeRAT payload
- Detect Xworm Payload
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
- Detects Windows executables referencing non-Windows User-Agents
- Detects executables manipulated with Fody
- Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
- ModiLoader Second Stage
- UPX dump on OEP (original entry point)
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2