modiloader | 3a0b0499401f4c77a799db828f6ffe6651eb355cef6f5df9c93a2d6b3b961ac2

Analysis

max time kernel
152s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatura e vonuar e bashkangjitur.exe
Size

777KB
MD5

8bf3e429a207bdf60279f3076a85108f
SHA1

da48577ad55bf7c75893dea2306973ed3cad499c
SHA256

20722f90d97d84e6453888a294f2a6b8e62c15daf9da7b6e13649ffb95c2146f
SHA512

b56454134d55655d87e30309b965cfecdc2b516c5a2abf68f5a748d8c187fe1cd1581701b947f399d10f4b257bfda8208a638394a906f4bd6291c4063115b771
SSDEEP

12288:4aDW4pT3boLduwYh0H7/C+khXx7ogdmTOeIurz7MJUXbXzaHyCkonBcyrj:4ajVsLduwA0HLC+k7MgdmTRrl/ronBd

Score

10^/10

modiloader xloader euv4 loader persistence rat trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euv4

Decoy

anniebapartments.com

hagenbicycles.com

herbalist101.com

southerncorrosion.net

kuechenpruefer.com

tajniezdrzi.quest

segurofunerarioar.com

boardsandbeamsdecor.com

alifdanismanlik.com

pkem.top

mddc.clinic

handejqr.com

crux-at.com

awp.email

hugsforbubbs.com

cielotherepy.com

turkcuyuz.com

teamidc.com

lankasirinspa.com

68135.online

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1540-132-0x0000000000A20000-0x0000000000A4B000-memory.dmp	modiloader_stage2

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1540-136-0x0000000030410000-0x0000000030439000-memory.dmp	xloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fatura e vonuar e bashkangjitur.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gsizunxx = "C:\\Users\\Public\\Libraries\\xxnuzisG.url"	fatura e vonuar e bashkangjitur.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fatura e vonuar e bashkangjitur.exe

pid process

1540 fatura e vonuar e bashkangjitur.exe
1540 fatura e vonuar e bashkangjitur.exe

pid	process
1540	fatura e vonuar e bashkangjitur.exe
1540	fatura e vonuar e bashkangjitur.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fatura e vonuar e bashkangjitur.exe

description	pid	process	target process
PID 1540 wrote to memory of 4728	1540	fatura e vonuar e bashkangjitur.exe	wscript.exe
PID 1540 wrote to memory of 4728	1540	fatura e vonuar e bashkangjitur.exe	wscript.exe
PID 1540 wrote to memory of 4728	1540	fatura e vonuar e bashkangjitur.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\fatura e vonuar e bashkangjitur.exe
"C:\Users\Admin\AppData\Local\Temp\fatura e vonuar e bashkangjitur.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\wscript.exe
C:\Windows\System32\wscript.exe
2⤵
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-132-0x0000000000A20000-0x0000000000A4B000-memory.dmp

Filesize
172KB

Download
memory/1540-135-0x0000000030410000-0x0000000030439000-memory.dmp

Filesize
164KB

Download
memory/1540-136-0x0000000030410000-0x0000000030439000-memory.dmp

Filesize
164KB

Download
memory/4728-134-0x0000000000000000-mapping.dmp

Download