Extracted

• • Target

    vamicheatloader.exe

  • Size

    77KB

  • MD5

    b074da06d9857ac5261d62b2446774a4

  • SHA1

    7137511fab7f416097aafba40cb0b6becf6c9d6e

  • SHA256

    d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58

  • SHA512

    04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367

  • SSDEEP

    1536:+dWwWpRvrlUSvelsuFXvnd4hbAbYUU0XXS06YTUgOrEKvN:I2TSSmnZvGAbD5iST/Or9N

  Score

  10^/10

  xwormexecutionpersistencerattrojanmodiloaderupx

  • Detect Xworm Payload

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • ModiLoader Second Stage

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Modifies Installed Components in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2