modiloader | 43d217bd9afb270a687f6eded8015879286c309abffe411c3af9bcc1805f340c | Triage

Sharing

General

Target

be2fa311c0f0bc777b15840c76d527fe.exe
Size

1.6MB
Sample

250222-hxtlfa1mcm
MD5

be2fa311c0f0bc777b15840c76d527fe
SHA1

b4b1c5c4eb2fd90ab55c0412366395509e4c3b32
SHA256

43d217bd9afb270a687f6eded8015879286c309abffe411c3af9bcc1805f340c
SHA512

43ffc9c72c66fe3cbd6cd0c67e2f26252d559f62417af50ed01d9572d47d23460bd4d020d8e4f7615783489ad6d0ec10a17e081d2b1d731e396bb18158a3622c
SSDEEP

24576:QE84EOnPNsjP6NUlwSX+R3qOV50H76o8p7/i+c5ST:QRqUlT/OV5kK0+c5W

Score

10^/10

modiloader vipkeylogger discovery keylogger persistence stealer trojan

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7741549877:AAGvFhZZl3oxTcYaKtJFu52Jb5_V7o5wbi0/sendMessage?chat_id=1224745150

Targets

- Target
  
  be2fa311c0f0bc777b15840c76d527fe.exe
- Size
  
  1.6MB
- MD5
  
  be2fa311c0f0bc777b15840c76d527fe
- SHA1
  
  b4b1c5c4eb2fd90ab55c0412366395509e4c3b32
- SHA256
  
  43d217bd9afb270a687f6eded8015879286c309abffe411c3af9bcc1805f340c
- SHA512
  
  43ffc9c72c66fe3cbd6cd0c67e2f26252d559f62417af50ed01d9572d47d23460bd4d020d8e4f7615783489ad6d0ec10a17e081d2b1d731e396bb18158a3622c
- SSDEEP
  
  24576:QE84EOnPNsjP6NUlwSX+R3qOV50H76o8p7/i+c5ST:QRqUlT/OV5kK0+c5W
Score

10^/10

discovery modiloader vipkeylogger keylogger persistence stealer trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

modiloadervipkeyloggerdiscoverykeyloggerpersistencestealertrojan