modiloader | 98f868900b27ba82ac18f919dc551ea15dc310813eb1538ebf2d0ab3afaa8328

General

Target

290321 de bon de commande,pdf.exe
Size

689KB
MD5

efa94719f0d14b3f8f330e5c7949dd2f
SHA1

6232070998c6d992941b4a5be9008efaf4af2370
SHA256

98f868900b27ba82ac18f919dc551ea15dc310813eb1538ebf2d0ab3afaa8328
SHA512

084f16cb4697e46744442c482c40a79f67262b2887087f3d21994aa24106d843ff7f4ecedfd4296e2922ccbcdfddb029a3130c6c493dfb1aa5b843e84f56acca

Score

10^/10

modiloader netwire botnet persistence stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

290321 de bon de commande,pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nudxspy = "C:\\Users\\Public\\Libraries\\ypsxduN.url"	290321 de bon de commande,pdf.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

290321 de bon de commande,pdf.exe

description	pid	process	target process
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe
PID 784 wrote to memory of 1476	784	290321 de bon de commande,pdf.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\290321 de bon de commande,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\290321 de bon de commande,pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:784

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-114-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1476-115-0x0000000000000000-mapping.dmp

Download
memory/1476-117-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1476-116-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/1476-118-0x0000000010550000-0x0000000010586000-memory.dmp

Filesize
216KB

Download
memory/1476-119-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1476-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing