modiloader | 7f354681e9ec602aef4dcdedfc3eb05a8f1a777b3691ae4d9d58e78240d49fe8

General

Target

yeni siparis listesi.exe
Size

816KB
MD5

6b0f23e56a98160ef61e1864227b0617
SHA1

08b5e21bce19e406d182478a67bad6462b86a887
SHA256

7f354681e9ec602aef4dcdedfc3eb05a8f1a777b3691ae4d9d58e78240d49fe8
SHA512

961da7bd43e5fdf0f411fc4634614191be3e4e928d21e4a0c16d45b3f9dc7fed79079fc7bd3aff57883a77c48874b3e28ea8e590d57c6ac83f0a6c74fc63de40
SSDEEP

12288:hvTirPykFC+EQpA7EOiidyVMmfP8DspvZFVphCF807ldv8gUwowEl52joHDL4wk:aPVFn/A7vsV/f6MvvV+maKN5RA

Score

10^/10

modiloader xloader uj3c loader persistence rat trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3036-132-0x0000000003040000-0x000000000306C000-memory.dmp	modiloader_stage2

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3036-136-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/4924-142-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/3396-146-0x0000000000A50000-0x0000000000A7B000-memory.dmp	xloader
behavioral2/memory/3396-147-0x0000000000A50000-0x0000000000A7B000-memory.dmp	xloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yeni siparis listesi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xidtkrwo = "C:\\Users\\Public\\Libraries\\owrktdiX.url"	yeni siparis listesi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

iexpress.exeNETSTAT.EXE

description	pid	process	target process
PID 4924 set thread context of 2348	4924	iexpress.exe	Explorer.EXE
PID 3396 set thread context of 2348	3396	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3396 NETSTAT.EXE

pid	process
3396	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

yeni siparis listesi.exeiexpress.exeNETSTAT.EXE

pid	process
3036	yeni siparis listesi.exe
3036	yeni siparis listesi.exe
4924	iexpress.exe
4924	iexpress.exe
4924	iexpress.exe
4924	iexpress.exe
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE
3396	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2348 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

iexpress.exeNETSTAT.EXE

pid process

4924 iexpress.exe
4924 iexpress.exe
4924 iexpress.exe
3396 NETSTAT.EXE
3396 NETSTAT.EXE

pid	process
2348	Explorer.EXE

pid	process
4924	iexpress.exe
4924	iexpress.exe
4924	iexpress.exe
3396	NETSTAT.EXE
3396	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

iexpress.exeExplorer.EXENETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	4924	iexpress.exe
Token: SeShutdownPrivilege	2348	Explorer.EXE
Token: SeCreatePagefilePrivilege	2348	Explorer.EXE
Token: SeShutdownPrivilege	2348	Explorer.EXE
Token: SeCreatePagefilePrivilege	2348	Explorer.EXE
Token: SeDebugPrivilege	3396	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

yeni siparis listesi.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3036 wrote to memory of 4924	3036	yeni siparis listesi.exe	iexpress.exe
PID 3036 wrote to memory of 4924	3036	yeni siparis listesi.exe	iexpress.exe
PID 3036 wrote to memory of 4924	3036	yeni siparis listesi.exe	iexpress.exe
PID 3036 wrote to memory of 4924	3036	yeni siparis listesi.exe	iexpress.exe
PID 3036 wrote to memory of 4924	3036	yeni siparis listesi.exe	iexpress.exe
PID 3036 wrote to memory of 4924	3036	yeni siparis listesi.exe	iexpress.exe
PID 2348 wrote to memory of 3396	2348	Explorer.EXE	NETSTAT.EXE
PID 2348 wrote to memory of 3396	2348	Explorer.EXE	NETSTAT.EXE
PID 2348 wrote to memory of 3396	2348	Explorer.EXE	NETSTAT.EXE
PID 3396 wrote to memory of 4780	3396	NETSTAT.EXE	cmd.exe
PID 3396 wrote to memory of 4780	3396	NETSTAT.EXE	cmd.exe
PID 3396 wrote to memory of 4780	3396	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\yeni siparis listesi.exe
"C:\Users\Admin\AppData\Local\Temp\yeni siparis listesi.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\iexpress.exe
C:\Windows\System32\iexpress.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\iexpress.exe"
3⤵
PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2348-140-0x0000000002FD0000-0x00000000030C5000-memory.dmp

Filesize
980KB

Download
memory/2348-150-0x0000000008250000-0x0000000008310000-memory.dmp

Filesize
768KB

Download
memory/2348-149-0x0000000008250000-0x0000000008310000-memory.dmp

Filesize
768KB

Download
memory/3036-135-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/3036-136-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/3036-132-0x0000000003040000-0x000000000306C000-memory.dmp

Filesize
176KB

Download
memory/3396-146-0x0000000000A50000-0x0000000000A7B000-memory.dmp

Filesize
172KB

Download
memory/3396-141-0x0000000000000000-mapping.dmp

Download
memory/3396-144-0x0000000000A00000-0x0000000000A0B000-memory.dmp

Filesize
44KB

Download
memory/3396-145-0x0000000001440000-0x000000000178A000-memory.dmp

Filesize
3.3MB

Download
memory/3396-147-0x0000000000A50000-0x0000000000A7B000-memory.dmp

Filesize
172KB

Download
memory/3396-148-0x00000000011D0000-0x0000000001260000-memory.dmp

Filesize
576KB

Download
memory/4780-143-0x0000000000000000-mapping.dmp

Download
memory/4924-142-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/4924-139-0x00000000040D0000-0x00000000040E1000-memory.dmp

Filesize
68KB

Download
memory/4924-137-0x00000000041F0000-0x000000000453A000-memory.dmp

Filesize
3.3MB

Download
memory/4924-134-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads