Extracted

• • Target

    malw.GZ

  • Size

    949KB

  • MD5

    e03958d8be1c86d13809017c9df1b774

  • SHA1

    3d064aa9ce1c26f0e0fff1251150467260fe87d8

  • SHA256

    9ad05e28fec2e97732380986f8b645298d6cce8c1e4e8ca27d3ddf89cc05426e

  • SHA512

    a3d8efc3e6b101303ff3eb712ce7222b5d7e42fc408f0f90013f08b72155fdb18a5ad6b896a40680d2eaeb460a0fcd2841bff81c925c611805598ace6bce781d

  • SSDEEP

    24576:x0v1fers4iESTpLQw/REdhakd0NCsoDqT0u5Twb2ZRIiIONNQVhM+h:+9AspLQw0hakdCCqTD5Twb2ZgONNUJ

  Score

  10^/10

  modiloaderdiscoverytrojanexecutionpersistencespywarestealer

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modiloader family

    modiloader

  • ModiLoader Second Stage

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2