Modiloader From Obfuscated Batch File
Essential information
- Published
- 23/12/2024 13:25
- Modified
- 23/12/2024 15:17
- Tags
- 2024-12-23 modiloader obfuscation
- Related entities
- 5 observables, 7 techniques (mitre), 1 malware
Description
An investigation of a file named 'Albertsons_payment.GZ' revealed a sophisticated malware delivery chain. The file, initially disguised as an image, was actually a Windows Cabinet file containing an obfuscated batch script. This script employed string slicing techniques to reconstruct commands and used LOLbins like extrac32.exe to evade detection. The payload, identified as Modiloader, a Delphi-based malware, was extracted using certutil.exe. The final stage attempted to fetch additional content from a URL, but failed in the analysis environment. This attack demonstrates the use of complex obfuscation and living-off-the-land techniques to deliver malware.