Extracted

• • Target

    Adline-Order_New Material_Specification_Order_no_MGP8K804 ,pdf.cmd

  • Size

    2.6MB

  • MD5

    e9310ff7859997821cabdb77fa1fc48a

  • SHA1

    14162fb813665c6e33e4e96278f05489f89b7025

  • SHA256

    a5fd7ac848ce34637de12d1925e2ebcad0f5ab7e833b66933e4bcf6791d0ceb6

  • SHA512

    e40686cb59439ca252eefd5363701b37555a9ed59812c7af7833fb566e74cd260f30c7e14d9a41ca632e1642480d473827701937af8c00d9754cd6d3565cb6c9

  • SSDEEP

    24576:W1sg0bAvBbbTatN015Xp34cZY1cPXCn+RCN1DVkOUH01Si8nZhh2R1hIw/pZEGXE:W1svbAvBb7535k001SiMqpXXXcp

  Score

  10^/10

  modiloaderdiscoverypersistencetrojanstormkittyxwormratspywarestealer

  • Detect Xworm Payload

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modiloader family

    modiloader

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • ModiLoader Second Stage

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2