Modiloader From Obfuscated Batch File
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
An investigation of a file named 'Albertsons_payment.GZ' revealed a sophisticated malware delivery chain. The file, initially disguised as an image, was actually a Windows Cabinet file containing an obfuscated batch script. This script employed string slicing techniques to reconstruct commands and used LOLbins like extrac32.exe to evade detection. The payload, identified as Modiloader, a Delphi-based malware, was extracted using certutil.exe. The final stage attempted to fetch additional content from a URL, but failed in the analysis environment. This attack demonstrates the use of complex obfuscation and living-off-the-land techniques to deliver malware.
OPENCTI LABELS :
obfuscation,modiloader
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Modiloader From Obfuscated Batch File