modiloader | 56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58

General

Target

RFQPR2000293356.exe
Size

1.0MB
MD5

4776632e3c4a24e4a0d8a63061070c24
SHA1

b3c83263ddca61d29b5b2e3351bc23a40b4116ea
SHA256

56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58
SHA512

4e0bbceaec5e8269b0431c19a9451985eb83631d162222544715554e099383a7bdedff0ad69a8edb42ba3d4783751a7d44aec1f8032dc563e5d55f7ac63660f3

Score

10^/10

modiloader netwire botnet persistence stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

ServiceHost packer 2 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/452-11-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/452-14-0x0000000000000000-mapping.dmp	servicehost

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQPR2000293356.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Elyl = "C:\\Users\\Admin\\AppData\\Local\\lylE.url"	RFQPR2000293356.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RFQPR2000293356.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RFQPR2000293356.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RFQPR2000293356.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

RFQPR2000293356.exe

description	pid	process	target process
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe
PID 4804 wrote to memory of 452	4804	RFQPR2000293356.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\RFQPR2000293356.exe
"C:\Users\Admin\AppData\Local\Temp\RFQPR2000293356.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4804

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/452-7-0x0000000000000000-mapping.dmp

Download
memory/452-6-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/452-8-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/452-9-0x0000000000000000-mapping.dmp

Download
memory/452-11-0x0000000000000000-mapping.dmp

Download
memory/452-13-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/452-14-0x0000000000000000-mapping.dmp

Download
memory/4804-2-0x0000000002750000-0x00000000027B5000-memory.dmp

Filesize
404KB

Download
memory/4804-4-0x0000000004850000-0x000000000489D000-memory.dmp

Filesize
308KB

Download
memory/4804-12-0x0000000010550000-0x0000000010586000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads