Extracted

Extracted

• • Target

    UNIROD-RFQ-010625001.cmd

  • Size

    1.1MB

  • MD5

    14640c06f8494da0aac5be1cb00865e0

  • SHA1

    3bec66d765e049fcb93f99b7ebf1d6a8f57366f9

  • SHA256

    2195099bea2aa33cf3a585bc1ac1c22ce10b2ca5bf8ea9cf0fe1e041cc9945ac

  • SHA512

    77b08c292c86ec2b989b36da656f161532c60a1a16cbd888b4700f227269f34e00be001883a4fb5c6e51cf485d72196aecef048a831665fd6eb45920772939da

  • SSDEEP

    24576:Gw6yj+R7ydItm/2uQAGYDKAVcpzWc4ctu:GDBR2KTYDKArc4Ku

  Score

  10^/10

  modiloaderdiscoverypersistencetrojanvipkeyloggercollectionkeyloggerspywarestealer

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modiloader family

    modiloader

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • ModiLoader Second Stage

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2