modiloader | f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f

General

Target

f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll
Size

269KB
MD5

2a4b62f495027dfb6f7549ca7ed7f47b
SHA1

47f6c5aea3b9724f143125f97bf9e8b72faf1a38
SHA256

f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f
SHA512

cc56c0448a138eca87a7fdce1cef67932ff868ea31ead0e342d3f265f92f4b9f91023d3fc01f7123149be469ccbaa2f2fdef950f9336557956ef10b4f36e4f9f

Score

10^/10

modiloader xloader n8rn loader persistence rat suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

n8rn

Decoy

jlvip1066.com

gconsultingfirm.com

foundergomwef.xyz

bredaslo.com

ethereumpets.com

buddymerrillmusic.com

archdeylemmergay.com

particulares-es.icu

gb2022-club.com

babypasal.com

mlikew.com

mskindi.com

securewalletvalidate.com

billstrasse24.com

ritebet388.com

nuhive.net

nekomediphile.com

jaynelsonphotog.com

writerpilotpublishing.store

taquerialoteria.com

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1612-56-0x00000000001A0000-0x00000000001E8000-memory.dmp	modiloader_stage2

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/832-73-0x0000000072480000-0x00000000724AA000-memory.dmp	xloader
behavioral1/memory/1072-80-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbjhzk = "C:\\Users\\Public\\Libraries\\\\kzhjbW.url"	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

mobsync.execmstp.exe

description	pid	process	target process
PID 832 set thread context of 1228	832	mobsync.exe	Explorer.EXE
PID 1072 set thread context of 1228	1072	cmstp.exe	Explorer.EXE

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

980 reg.exe
1900 reg.exe
1040 reg.exe

pid	process
980	reg.exe
1900	reg.exe
1040	reg.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

mobsync.execmstp.exe

pid	process
832	mobsync.exe
832	mobsync.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe
1072	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mobsync.execmstp.exe

pid process

832 mobsync.exe
832 mobsync.exe
832 mobsync.exe
1072 cmstp.exe
1072 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mobsync.execmstp.exe

description pid process

Token: SeDebugPrivilege 832 mobsync.exe
Token: SeDebugPrivilege 1072 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1228	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	832	mobsync.exe
Token: SeDebugPrivilege	1072	cmstp.exe

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1660 wrote to memory of 1612	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1612	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1612	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1612	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1612	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1612	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1612	1660	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 832	1612	rundll32.exe	mobsync.exe
PID 1612 wrote to memory of 832	1612	rundll32.exe	mobsync.exe
PID 1612 wrote to memory of 832	1612	rundll32.exe	mobsync.exe
PID 1612 wrote to memory of 832	1612	rundll32.exe	mobsync.exe
PID 1612 wrote to memory of 832	1612	rundll32.exe	mobsync.exe
PID 1612 wrote to memory of 832	1612	rundll32.exe	mobsync.exe
PID 1612 wrote to memory of 832	1612	rundll32.exe	mobsync.exe
PID 1612 wrote to memory of 268	1612	rundll32.exe	cmd.exe
PID 1612 wrote to memory of 268	1612	rundll32.exe	cmd.exe
PID 1612 wrote to memory of 268	1612	rundll32.exe	cmd.exe
PID 1612 wrote to memory of 268	1612	rundll32.exe	cmd.exe
PID 268 wrote to memory of 1036	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1036	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1036	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1036	268	cmd.exe	cmd.exe
PID 1036 wrote to memory of 980	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 980	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 980	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 980	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1900	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1900	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1900	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1900	1036	cmd.exe	reg.exe
PID 1036 wrote to memory of 1972	1036	cmd.exe	schtasks.exe
PID 1036 wrote to memory of 1972	1036	cmd.exe	schtasks.exe
PID 1036 wrote to memory of 1972	1036	cmd.exe	schtasks.exe
PID 1036 wrote to memory of 1972	1036	cmd.exe	schtasks.exe
PID 1228 wrote to memory of 1072	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 1072	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 1072	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 1072	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 1072	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 1072	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 1072	1228	Explorer.EXE	cmstp.exe
PID 1612 wrote to memory of 1548	1612	rundll32.exe	cmd.exe
PID 1612 wrote to memory of 1548	1612	rundll32.exe	cmd.exe
PID 1612 wrote to memory of 1548	1612	rundll32.exe	cmd.exe
PID 1612 wrote to memory of 1548	1612	rundll32.exe	cmd.exe
PID 1548 wrote to memory of 1040	1548	cmd.exe	reg.exe
PID 1548 wrote to memory of 1040	1548	cmd.exe	reg.exe
PID 1548 wrote to memory of 1040	1548	cmd.exe	reg.exe
PID 1548 wrote to memory of 1040	1548	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll,#1
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\mobsync.exe
      C:\Windows\System32\mobsync.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Public\Trast.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        6⤵
        Modifies registry key
        
        PID:980
      - C:\Windows\SysWOW64\reg.exe
        
        reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
        6⤵
        Modifies registry key
        
        PID:1900
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
        6⤵
        
        PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Public\nest.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        5⤵
        Modifies registry key
        
        PID:1040
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1516
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:976
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1872
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:396
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:820
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Trast.bat

MD5
4068c9f69fcd8a171c67f81d4a952a54

SHA1
4d2536a8c28cdcc17465e20d6693fb9e8e713b36

SHA256
24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

SHA512
a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

Download Submit
C:\Users\Public\UKO.bat

MD5
eaf8d967454c3bbddbf2e05a421411f8

SHA1
6170880409b24de75c2dc3d56a506fbff7f6622c

SHA256
f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

SHA512
fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

Download Submit
C:\Users\Public\nest.bat

MD5
8ada51400b7915de2124baaf75e3414c

SHA1
1a7b9db12184ab7fd7fce1c383f9670a00adb081

SHA256
45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

SHA512
9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

Download Submit
memory/268-64-0x0000000000000000-mapping.dmp

Download
memory/832-67-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/832-75-0x0000000000230000-0x0000000000241000-memory.dmp

Filesize
68KB

Download
memory/832-60-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/832-59-0x0000000072480000-0x00000000724AA000-memory.dmp

Filesize
168KB

Download
memory/832-74-0x0000000001FA0000-0x00000000022A3000-memory.dmp

Filesize
3.0MB

Download
memory/832-73-0x0000000072480000-0x00000000724AA000-memory.dmp

Filesize
168KB

Download
memory/832-62-0x0000000000000000-mapping.dmp

Download
memory/832-68-0x0000000072480000-0x00000000724AA000-memory.dmp

Filesize
168KB

Download
memory/980-70-0x0000000000000000-mapping.dmp

Download
memory/1036-66-0x0000000000000000-mapping.dmp

Download
memory/1040-84-0x0000000000000000-mapping.dmp

Download
memory/1072-79-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download
memory/1072-85-0x0000000000730000-0x00000000007C0000-memory.dmp

Filesize
576KB

Download
memory/1072-81-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/1072-80-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1072-77-0x0000000000000000-mapping.dmp

Download
memory/1228-86-0x0000000007310000-0x000000000744F000-memory.dmp

Filesize
1.2MB

Download
memory/1228-76-0x0000000006AC0000-0x0000000006BF4000-memory.dmp

Filesize
1.2MB

Download
memory/1548-82-0x0000000000000000-mapping.dmp

Download
memory/1612-56-0x00000000001A0000-0x00000000001E8000-memory.dmp

Filesize
288KB

Download
memory/1612-58-0x0000000072481000-0x00000000724A9000-memory.dmp

Filesize
160KB

Download
memory/1612-57-0x0000000072480000-0x0000000072481000-memory.dmp

Filesize
4KB

Download
memory/1612-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1612-54-0x0000000000000000-mapping.dmp

Download
memory/1900-71-0x0000000000000000-mapping.dmp

Download
memory/1972-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads