modiloader | abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477 | Triage

Sharing

General

Target

abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N
Size

1.3MB
Sample

241004-3k4k4aserl
MD5

0d0e5d826209927eb07f4e393eff6f90
SHA1

0cc3c1a211c87f4b13aea8a53b043dcdc0a375d9
SHA256

abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477
SHA512

7750dfff7fe5138c8850e2141cd1e7b7c44b95a7693c82056bdf9372bea7033ce93b4ec558533afdefb63d99885822f2c9dda4e18cfc7fa3ee266c9663fdd0f3
SSDEEP

24576:L8EX1B+OLhKrDdPGrevewoRpaK8ui+8qG7Edy3+0:9Brm685j3+0

Score

10^/10

modiloader njrat vnhax discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

vnhax

C2

fr3onm9r.ddns.net:5566

Mutex

dae31c02cb06222e776b9ccb9207edb1

Attributes

reg_key
dae31c02cb06222e776b9ccb9207edb1
splitter
|'|'|

Targets

- Target
  
  abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N
- Size
  
  1.3MB
- MD5
  
  0d0e5d826209927eb07f4e393eff6f90
- SHA1
  
  0cc3c1a211c87f4b13aea8a53b043dcdc0a375d9
- SHA256
  
  abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477
- SHA512
  
  7750dfff7fe5138c8850e2141cd1e7b7c44b95a7693c82056bdf9372bea7033ce93b4ec558533afdefb63d99885822f2c9dda4e18cfc7fa3ee266c9663fdd0f3
- SSDEEP
  
  24576:L8EX1B+OLhKrDdPGrevewoRpaK8ui+8qG7Edy3+0:9Brm685j3+0
Score

10^/10

modiloader njrat vnhax discovery persistence trojan evasion privilege_escalation
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- ModiLoader Second Stage
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadernjratvnhaxdiscoverypersistencetrojan

behavioral2

modiloaderdiscoveryevasionpersistenceprivilege_escalationtrojan