Modiloader From Obfuscated Batch File
Dec. 23, 2024, 3:17 p.m.
Tags
External References
Description
An investigation of a file named 'Albertsons_payment.GZ' revealed a sophisticated malware delivery chain. The file, initially disguised as an image, was actually a Windows Cabinet file containing an obfuscated batch script. This script employed string slicing techniques to reconstruct commands and used LOLbins like extrac32.exe to evade detection. The payload, identified as Modiloader, a Delphi-based malware, was extracted using certutil.exe. The final stage attempted to fetch additional content from a URL, but failed in the analysis environment. This attack demonstrates the use of complex obfuscation and living-off-the-land techniques to deliver malware.
Date
Published: Dec. 23, 2024, 1:25 p.m.
Created: Dec. 23, 2024, 1:25 p.m.
Modified: Dec. 23, 2024, 3:17 p.m.
Indicators
bc4cf21e25e9f429b8ea1fdc17061bc0eff0c1b44d83ff6c5da36c778ce62ade
baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d
29bda570966cf934b38ff7b1613f9330709307405391ced5452bd9cc63736331
https://swamfoxinnc.com/233_Svcrhpjadgy
swamfoxinnc.com
Attack Patterns
Modiloader
T1553.002
T1059.003
T1218
T1105
T1036
T1140
T1027