Extracted

• • Target

    0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe

  • Size

    1.8MB

  • MD5

    f6118d60f7bf36f088b6b7a2c27624fb

  • SHA1

    7eff62e10421088c83d4c74fd8d4f54e145a6b97

  • SHA256

    0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc

  • SHA512

    7e7a0bd571fc7719b951c3efbd38eb82235d1a2568b8c36b7cae4b09513fc77113531e0c88ec36a876ed6fdcedc55e25067b8a9ec2277f9441f75312a1957bff

  • SSDEEP

    49152:CWFuLZoC0CGIAOzi6UDCTDi6RTqOLSTb:CWFuLaQ7L8iDPMOLGb

  Score

  10^/10

  discoverymodiloadervipkeyloggercollectionkeyloggerpersistencespywarestealertrojan

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modiloader family

    modiloader

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • ModiLoader Second Stage

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2