modiloader | 5834f6ae3522131494c225a93c30173430be80b5c144519b265395c54f35172b

Sharing

Copy URL

Twitter E-mail

General

Target

JfPvxHzKLqqy.zip
Size

4.9MB
Sample

240811-eppqqsyckg
MD5

b465fbb4ac490a317784c951cc3014b8
SHA1

a3c16d70c6f6058a3c43baf9bcd9924e4e545043
SHA256

5834f6ae3522131494c225a93c30173430be80b5c144519b265395c54f35172b
SHA512

80a8ee81e95802f570986384b7d068833c0368dba4a63c39b16257efc398f38b7f7f716821185fb0701978bbce486e9bc523fb61d31a0bba9e568ee17c060156
SSDEEP

98304:vTxDa956OCei+WuHMycOenShP7B1Plb83ixEI0/6JZwionhdCuDYK6qMd:7OBrWusqP7BZoI0zi6dCuh69

Malware Config

Extracted

Family

warzonerat

168.61.222.215:5400

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

- Target
  
  FreePiano/freepiano.exe
- Size
  
  1.3MB
- MD5
  
  0742c857b186d7178a6f13c16765086c
- SHA1
  
  082a0aebe67a8991a968972127d2ee8bad6bab1d
- SHA256
  
  f53c7cdf9fa04426f4e1100d7347d35eeb4fbd7c6795651412d229fa77ab8698
- SHA512
  
  d2d6877092dfb2483a0b9efa2b7774178185c9c477b66baaaf38b30b672f023008e2e8a2289f205f3c73ead24f5360b578f6a56100c9687422b060f1cb5c673d
- SSDEEP
  
  24576:GVGj/JdqXfc9NubYNr7dxGycjkUTZZWIDR7p35DNy09x/:GVGjhdjTWarBxGYUTbW0d57V
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1
- Target
  
  FreePiano/plugins/plugin_sf2.dll
- Size
  
  329KB
- MD5
  
  94c59894d08d1c749f63682cb8797095
- SHA1
  
  3fc15161462973569f91e2b3b880d64c385b2689
- SHA256
  
  d0b80fbf7ebc9e392813beaf518d856204338e7127dc98c80b8e0396b9fea09f
- SHA512
  
  6ce996a7f686b19a4a146b8ddbfb54b03f0a4ed09995618305ef6ed644b44e3ca5733f5a0a332499b243288d3578c3b26c2240c086ab91b3e5ec9f23bf9879ea
- SSDEEP
  
  6144:OfZpm6lJwGaoGBM7lTWaAmlTSKQkcgiofhk2Bf50l3Mx:OfZJaoGp7yTwkbio8
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
behavioral2
- Target
  
  FreePiano/plugins/plugin_xfmp4.exe
- Size
  
  1.7MB
- MD5
  
  1c6f91887e9d23c721ed5475b566d294
- SHA1
  
  f505b6e02047b082038110b22e4e48137fe3f3fc
- SHA256
  
  3b2dbd1e356d3a32914f5db00a2dc10d697f90568adfd17d739ebcceeabe1c8d
- SHA512
  
  c1af6c6187c1f7d67ce212aa15df2ff284354f442cb5bf3bdd38674e7b96443b90d162af8f845c94991f8d29ebde13742c84e79e7e2862b955bc645e08e753aa
- SSDEEP
  
  24576:oTLRacbJBSmMDs1mppQRqWJ0U6Ae8yYzWDILv+uysEa4rl5kSauS2emE8dvTjfK7:GNamMeu4Evl5N7jfTk3mM
Score

3^/10

discovery
behavioral3
- Target
  
  FreePiano/vsti/mdaPiano.dll
- Size
  
  1.2MB
- MD5
  
  5e76e2ad4a687607cff24982c52c8baf
- SHA1
  
  2435090a8e6b56b2e1aa4cc14b9861a34c090519
- SHA256
  
  0be2c93d003df789c7c403d1600b226b0903b4f7cee65322de4e4416aaf9dc22
- SHA512
  
  de9785844b50bf6fbe2e49a8e4088448a8ccee747250b012ccb31d487ac6f2ec0763a328bc2669b2a4d40c0b3f7a2657a174b6e23c1e18780908ec5b22fbd34b
- SSDEEP
  
  24576:qBPR0oMw19/aEkwJtqQbZSqpWgeNKglzvQDhi9vWa2IiGhyY5P0:qBp+7wJtrbZPshKezvQtiM5IiQyE
Score

1^/10
behavioral4
- Target
  
  QWERTY/Midi to Qwerty.exe
- Size
  
  633KB
- MD5
  
  daccc6a58f6c2417af857515fc652801
- SHA1
  
  4eedec65a5d5cc7f564ba4d61e92d4689ec09e0b
- SHA256
  
  fdc2e3f71edf456bfb5ff0e9d40a37455e928ba3cc47c84fbc839481ba5f5202
- SHA512
  
  6f612d2feca403a0c59ae0dd6e14599d32a97cb3d9fea14aedd4f79ed0a158bd71b535d8e36434cf07f505e75ea4e8b10e23af3d14e10c1188872bebec5d1e18
- SSDEEP
  
  12288:XCSqsbdmp6WTL7+MGBolVhatpL1CUn9X5Gp:y64p1TL7+FBolVhaH1CUn8
Score

1^/10
behavioral5
- Target
  
  QWERTY/SDL2.dll
- Size
  
  2.1MB
- MD5
  
  8cefc3cbc917011cefacc145945f0bbe
- SHA1
  
  15ee32dfda843229adc4be8df7a267da0e5a61d1
- SHA256
  
  74889602f25135db1489529dc0a5170f65fc756886b744aa6a414529b8abd3d9
- SHA512
  
  2b26813d2482a51b8bcc6df3c50de0735c6f10ce89e11a7aeff4e7ec4d1def5ff93cf03ed09cda1d5039807e63d8dfc35e44d3060330e3420ab0dafa993bc949
- SSDEEP
  
  24576:mdlZagmDN5+fmLybQeeeB5eMpZV3iItgVK8IIVb7Z00Z6O5c4ObjbtnG4+QDYnTT:euqo75Vbt5cAV309/Fof4J/Urvmf+
Score

1^/10
behavioral6
- Target
  
  QWERTY/portmidi.dll
- Size
  
  31KB
- MD5
  
  8435cf62e67bd4b2e59a46907381fcf7
- SHA1
  
  c026dd619c9b720c4440bcd8899061dce5c059e6
- SHA256
  
  0d64c046c16d8d089f55c45d3bae20f577204783c2c8fad100bb26d897383d9b
- SHA512
  
  d9f294e660bff092397969e49cbb7b8c1a7a3063b9abe865e3ba167a0da05dec456a8d273e8dbcaa0ff3387584211246c80e575de1b66efac8c22c888f39d7cd
- SSDEEP
  
  384:hkaJm/t67EBgc5F8idwV9P9P7OWjAE8y2k8izHh3hSHAuG+sZa3dj4OeDq9Gk4gp:kYFDf0SAE9fzHh3hIX4Z6qdaaq
Score

1^/10
behavioral7
- Target
  
  setuploopbe1.exe
- Size
  
  992KB
- MD5
  
  143a3ec92e603a8eb863bef2d6f4da12
- SHA1
  
  fc0a87961f1fa5d645ea63689b0e23b491092891
- SHA256
  
  0958b39c23e02f86ba63f520cfc333842e3f7c31e197416c12f2718756ecb9be
- SHA512
  
  49ce58b19b86f9d2062feeed62f15c87214a5324977ab94c3421add26f79d48a29e0d590266c25c8acf01bbcf369af6bc27b1e749e0761726210724d695a2116
- SSDEEP
  
  24576:H1FFxG1QXI0iWkKZnj5v747E2As7mb2uC4OS:lxGW4SvcoPgIC4L
Score

7^/10

discovery
- Loads dropped DLL
behavioral8
- Target
  
  $PLUGINSDIR/DIFxAPI.dll
- Size
  
  513KB
- MD5
  
  f5558c67a3adb662d43d40a1cbde4160
- SHA1
  
  74ad5dd123037cf4d434c5073cbe04c0bcba4e79
- SHA256
  
  83c43d65084cd202aa9982af6d87c963a05035f1e2cdac48304fa299584e3242
- SHA512
  
  6df9f780adda4f52d7fbb3baa6af3028c0523ff514f1df0e7dfe380ce21116e09a6f1f3820c316a9af7e16043eb04cdbfe5e885ca24528661c05e32cd18b2046
- SSDEEP
  
  12288:6sxYL+kJmoPdVp6s3EJBjCvuF17+2NdJfx:6sxwSoPdVoBjCvuF17+2NdJfx
Score

1^/10
behavioral9
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  14KB
- MD5
  
  0dc0cc7a6d9db685bf05a7e5f3ea4781
- SHA1
  
  5d8b6268eeec9d8d904bc9d988a4b588b392213f
- SHA256
  
  8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
- SHA512
  
  814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0
- SSDEEP
  
  192:n6d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jPK72dwF7dBEnbok:n6UdHXcIiY535zBt2jP+BEnbo
Score

8^/10

bootkit discovery evasion persistence
- Disables Task Manager via registry modification
  evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral10
- Target
  
  $PLUGINSDIR/StartMenu.dll
- Size
  
  7KB
- MD5
  
  4e96f412a8cc653053d5d918df6b0836
- SHA1
  
  a3c7d59043feecb1603874b27c23d4166b341f2d
- SHA256
  
  e4a54bfc327986a89165bdef361069810aaa985c3abecd442c786725fabaf977
- SHA512
  
  2fec61b4ad31250bdbdbbfd551d831801790b96902c67200661e8f4f2753378bbf6c0c88b12e1be9173a29597827c1c4809511b6d52666dc3324bd7031c8229d
- SSDEEP
  
  96:IiqA7bDe2xHkR1C41EhvSE+6nNtMn0iGd8CqRLqtJ1trRhElfL:IiqA7/ZH0uQMtcfCqo/tdgf
Score

5^/10

discovery
- Drops file in System32 directory
behavioral11
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  00a0194c20ee912257df53bfe258ee4a
- SHA1
  
  d7b4e319bc5119024690dc8230b9cc919b1b86b2
- SHA256
  
  dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
- SHA512
  
  3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

10^/10

modiloader netwire njrat remcos wannacry warzonerat host botnet defense_evasion discovery evasion execution impact infostealer persistence privilege_escalation ransomware rat rezer0 stealer trojan worm
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- ModiLoader First Stage
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Warzone RAT payload
  rat
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral12
- Target
  
  $PLUGINSDIR/UserInfo.dll
- Size
  
  4KB
- MD5
  
  1e8e11f465afdabe97f529705786b368
- SHA1
  
  ea42bed65df6618c5f5648567d81f3935e70a2a0
- SHA256
  
  7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b
- SHA512
  
  16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b
Score

8^/10

discovery evasion motw phishing ransomware
- Disables Task Manager via registry modification
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Sets desktop wallpaper using registry
  ransomware
behavioral13
- Target
  
  $PLUGINSDIR/drvinst.exe
- Size
  
  188KB
- MD5
  
  dcec5b0cf19b0238ce934467c860ef5a
- SHA1
  
  50c192aeaabf36ca9c0022cdcfc95b409ee820ad
- SHA256
  
  bee3dc2cbff39c84b5a1d00535b20595b935bbcd2d8d24940def5a60a2adb7e6
- SHA512
  
  95edda9a2079284ab9733a4e1363876cb8fdf9f1697c2a1dcc250789e4677ab0e22ade4e26b62329b61f69ad652a92c0489691f28bc169a2890fe85a13d96183
- SSDEEP
  
  3072:Qq35e2JpY92rJpw9lnIXskke/rB94hOI3Yic5K62YQbrwVLnK+35CI:B35e2JpY9GEbnIXs294hOI39b623uX5n
Score

1^/10
behavioral14
- Target
  
  $PLUGINSDIR/loopbe1.sys
- Size
  
  13KB
- MD5
  
  37efb026e1a8a79fbe7044a241281b3e
- SHA1
  
  2338874e4b8e68d7752bbe92fe1b6df12d812551
- SHA256
  
  d2c20282d6e5dbff38c00df745f19f2457baf53cb5ee30c02979029fa04e0ddb
- SHA512
  
  53e4dadbe3b69cca3efa76f4da781f15d5624e5a22f269ba75af324e89aefe391243197197fd7b0510e3b56ea21a33875e5e18272e824f55e16cdd26b05370f1
- SSDEEP
  
  384:F0XJ7Tpbtqh4RbDEoiKdSSjGTENTMV9Kyue:i5btqCLiKdSSjOENT89p
Score

1^/10
behavioral15
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  e54eb27fb5048964e8d1ec7a1f72334b
- SHA1
  
  2b76d7aedafd724de96532b00fbc6c7c370e4609
- SHA256
  
  ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
- SHA512
  
  c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
- SSDEEP
  
  96:57GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgN532E:VKgfwgcr8zylsB49Ud0qJVgNQ
Score

3^/10

discovery
behavioral16