Overview

overview

10

Static

static

10

f8fc925d89...in.dll

windows7_x64

10

f8fc925d89...in.dll

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-01-2022 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll

  • Size

    269KB

  • MD5

    2a4b62f495027dfb6f7549ca7ed7f47b

  • SHA1

    47f6c5aea3b9724f143125f97bf9e8b72faf1a38

  • SHA256

    f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f

  • SHA512

    cc56c0448a138eca87a7fdce1cef67932ff868ea31ead0e342d3f265f92f4b9f91023d3fc01f7123149be469ccbaa2f2fdef950f9336557956ef10b4f36e4f9f

Score
10/10
modiloaderxloadern8rnloaderpersistenceratsuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

n8rn

Decoy

jlvip1066.com

gconsultingfirm.com

foundergomwef.xyz

bredaslo.com

ethereumpets.com

buddymerrillmusic.com

archdeylemmergay.com

particulares-es.icu

gb2022-club.com

babypasal.com

mlikew.com

mskindi.com

securewalletvalidate.com

billstrasse24.com

ritebet388.com

nuhive.net

nekomediphile.com

jaynelsonphotog.com

writerpilotpublishing.store

taquerialoteria.com

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • ModiLoader Second Stage 1 IoCs
  • Xloader Payload 2 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll,#1
        3⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3408
        • C:\Windows\SysWOW64\DpiScaling.exe
          C:\Windows\System32\DpiScaling.exe
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4092
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3148
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4040
            • C:\Windows\SysWOW64\reg.exe
              reg delete hkcu\Environment /v windir /f
              6⤵
              • Modifies registry key
              PID:4312
            • C:\Windows\SysWOW64\reg.exe
              reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
              6⤵
              • Modifies registry key
              PID:4260
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
              6⤵
                PID:4232
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4352
            • C:\Windows\SysWOW64\reg.exe
              reg delete hkcu\Environment /v windir /f
              5⤵
              • Modifies registry key
              PID:784
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\SysWOW64\mstsc.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4376

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/396-135-0x0000000006380000-0x0000000006528000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/396-144-0x0000000006000000-0x0000000006158000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3408-121-0x0000000072481000-0x00000000724A9000-memory.dmp

      Filesize

      160KB

      Download

    • memory/3408-120-0x0000000072480000-0x0000000072481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3408-119-0x00000000040C0000-0x0000000004108000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4092-127-0x0000000000600000-0x0000000000601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-132-0x00000000044B0000-0x00000000047D0000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4092-131-0x0000000072480000-0x00000000724AA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4092-133-0x0000000072480000-0x00000000724AA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4092-134-0x0000000000B60000-0x0000000000B71000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4376-138-0x00000000027A0000-0x00000000027C9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/4376-137-0x0000000000080000-0x000000000037C000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4376-139-0x0000000004680000-0x00000000049A0000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4376-143-0x00000000044E0000-0x0000000004570000-memory.dmp

      Filesize

      576KB

      Download