modiloader | 1c32ad6528891fdda5b9605d6ff5963b8b47d431b11a2252837e29f67bfd3b1d

General

Target

1c32ad6528891fdda5b9605d6ff5963b8b47d431b11a2252837e29f67bfd3b1d
Size

1.4MB
Sample

240510-kr7l8ade8v
MD5

b43a05bb4ae21cc7fa1f60dee06b45f4
SHA1

5e94c9a0d858765726c4e3692c261502dae18af4
SHA256

1c32ad6528891fdda5b9605d6ff5963b8b47d431b11a2252837e29f67bfd3b1d
SHA512

571acf3399c57167f7569cacb6b9a7d22c9603b21bdae8d094b38e89a190191a981987d8c492e2ece3d27202e30ffe8bb3c80b544704ef8c79ab1586eba70113
SSDEEP

24576:7dxk6IU+gdnKvY8qTZ1SWvJZJCl3SMgI58BcGg2cvGj81rQGXg7SxhEEEEEEEEEI:7QVgda6Z1zYl3SMgGCcGg2cvGj81rQGV

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
sslout.de
Port:
587
Username:
[email protected]
Password:
dataset123

Targets

- Target
  
  doc023561361500__079422732__202410502__000023.pdf.exe
- Size
  
  897KB
- MD5
  
  7d3c29dcdf50082543dcc15e2258dc35
- SHA1
  
  f608850779d56d5c398f595ee805f200fbdd3153
- SHA256
  
  cdc1aa78c777e437a8945a500650fd6fbee46ece9f29537566dbd7ea13d21978
- SHA512
  
  ce0aff6614d7d89d3acc7a7c06647ef599aa7381e014c754ec80e51dc12ede5f23b54c29468f31b811372b15a299e2d3b0cbbf971b2c0dde9e1daf366de7ed66
- SSDEEP
  
  24576:2dxk6IU+gdnKvY8qTZ1SWvJZJCl3SMgI58BcGg2cvGj81rQGXg7SxhEEEEEEEEEI:2QVgda6Z1zYl3SMgGCcGg2cvGj81rQGV
Score

10^/10

modiloader zgrat rat spyware stealer trojan
- Detect ZGRat V1
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- ModiLoader Second Stage
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Detect ZGRat V1

ModiLoader, DBatLoader

ZGRat

ModiLoader Second Stage

Executes dropped EXE

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3