{
  "name": "Modiloader From Obfuscated Batch File",
  "slug": "modiloader-from-obfuscated-batch-file",
  "description": "An investigation of a file named 'Albertsons_payment.GZ' revealed a sophisticated malware delivery chain. The file, initially disguised as an image, was actually a Windows Cabinet file containing an obfuscated batch script. This script employed string slicing techniques to reconstruct commands and used LOLbins like extrac32.exe to evade detection. The payload, identified as Modiloader, a Delphi-based malware, was extracted using certutil.exe. The final stage attempted to fetch additional content from a URL, but failed in the analysis environment. This attack demonstrates the use of complex obfuscation and living-off-the-land techniques to deliver malware.",
  "published": "2024-12-23T12:25:21+00:00",
  "created_at": "2024-12-23T12:25:21+00:00",
  "modified_at": "2024-12-23T14:17:05+00:00",
  "created_at_opencti": "2024-12-23T12:25:21+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-12-23",
    "modiloader",
    "obfuscation"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://swamfoxinnc.com/233_Svcrhpjadgy"
      },
      {
        "id": "",
        "name": "swamfoxinnc.com"
      },
      {
        "id": "",
        "name": "bc4cf21e25e9f429b8ea1fdc17061bc0eff0c1b44d83ff6c5da36c778ce62ade"
      },
      {
        "id": "",
        "name": "baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d"
      },
      {
        "id": "",
        "name": "29bda570966cf934b38ff7b1613f9330709307405391ced5452bd9cc63736331"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:8ebc377659a50fb5",
        "name": "Modiloader",
        "slug": "modiloader"
      }
    ],
    "attack_patterns": [
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://isc.sans.edu/diary/rss/31540",
    "https://otx.alienvault.com/pulse/676964c1fb7dba065286b495"
  ]
}