Extracted

• • Target

    king.exe

  • Size

    834KB

  • MD5

    0763cd65f6b5702458494123e97f2749

  • SHA1

    655386a271c50570c47d9ce909f10de1719e3cc6

  • SHA256

    35af2e0e56a27587170e0f093d625a6123e49af4ea8b939c30ccd9fd8e69a2ed

  • SHA512

    b7578ef326ebac1543af02daafcb873b921d3c93c533ee70b73ba30d320db1b84d4a34c0e6403cf98785eae5cea69948feb3282c7ae9d29774cf395957650d02

  • SSDEEP

    12288:aAm99652dKVsiJ9Pu8BHTN3KxxcycdnawpVdAorkBK1zmQ7HDEKDmC/E:7oqcKmiJ88ZZsTzOlIWznHY

  Score

  10^/10

  modiloaderdiscoverytrojanpersistencespywarestealer

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modiloader family

    modiloader

  • ModiLoader Second Stage

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2