modiloader | 06862bd815afb961a4dd3aa604744d9bb553bc9f111dd87c221430c8f5e3ef9c

General

Target

Proforma Invoice attached.exe
Size

805KB
MD5

dab7cc983ca9542bd96062d675128a57
SHA1

13d832f3e6a884dfee1b05c4fe9ab7f754c8607c
SHA256

e399bdc24cb76e8ebdfef7bba94b18031fe0b4fd3664fcad763e77b1e4b2da86
SHA512

de268296462fe12039fc316b4674b4bc20e4ad4140e198ea5f8fc38d42e7434c8ba4e47b76b5cebad4b692e828a7d0423f1b01ebf7cefbb7abfc52f05f0697e3
SSDEEP

12288:29Id6OrPwqTQAwBTTvY0Z3l9+P/bnqvPPOmWnADUcHjNEU:29XyTFwtTpZ1E32POM7m

Score

10^/10

modiloader xloader uj3c loader persistence rat trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4680-134-0x00000000023B0000-0x00000000023E2000-memory.dmp	modiloader_stage2

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4680-142-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/1480-149-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/3264-157-0x00000000006A0000-0x00000000006CB000-memory.dmp	xloader
behavioral2/memory/3264-159-0x00000000006A0000-0x00000000006CB000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

58 3264 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

hsoloqgU.pif

pid process

1480 hsoloqgU.pif

flow	pid	process
58	3264	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Proforma Invoice attached.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ugqolosh = "C:\\Users\\Public\\Libraries\\hsoloqgU.url"	Proforma Invoice attached.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

hsoloqgU.pifrundll32.exe

description	pid	process	target process
PID 1480 set thread context of 3216	1480	hsoloqgU.pif	Explorer.EXE
PID 3264 set thread context of 3216	3264	rundll32.exe	Explorer.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

hsoloqgU.pifrundll32.exe

pid	process
1480	hsoloqgU.pif
1480	hsoloqgU.pif
1480	hsoloqgU.pif
1480	hsoloqgU.pif
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe
3264	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3216 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

hsoloqgU.pifrundll32.exe

pid process

1480 hsoloqgU.pif
1480 hsoloqgU.pif
1480 hsoloqgU.pif
3264 rundll32.exe
3264 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hsoloqgU.pifrundll32.exe

description pid process

Token: SeDebugPrivilege 1480 hsoloqgU.pif
Token: SeDebugPrivilege 3264 rundll32.exe

pid	process
3216	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1480	hsoloqgU.pif
Token: SeDebugPrivilege	3264	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Proforma Invoice attached.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 4680 wrote to memory of 1480	4680	Proforma Invoice attached.exe	hsoloqgU.pif
PID 4680 wrote to memory of 1480	4680	Proforma Invoice attached.exe	hsoloqgU.pif
PID 4680 wrote to memory of 1480	4680	Proforma Invoice attached.exe	hsoloqgU.pif
PID 4680 wrote to memory of 1480	4680	Proforma Invoice attached.exe	hsoloqgU.pif
PID 4680 wrote to memory of 1480	4680	Proforma Invoice attached.exe	hsoloqgU.pif
PID 4680 wrote to memory of 1480	4680	Proforma Invoice attached.exe	hsoloqgU.pif
PID 3216 wrote to memory of 3264	3216	Explorer.EXE	rundll32.exe
PID 3216 wrote to memory of 3264	3216	Explorer.EXE	rundll32.exe
PID 3216 wrote to memory of 3264	3216	Explorer.EXE	rundll32.exe
PID 3264 wrote to memory of 2640	3264	rundll32.exe	cmd.exe
PID 3264 wrote to memory of 2640	3264	rundll32.exe	cmd.exe
PID 3264 wrote to memory of 2640	3264	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Local\Temp\Proforma Invoice attached.exe
"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice attached.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680

C:\Users\Public\Libraries\hsoloqgU.pif
"C:\Users\Public\Libraries\hsoloqgU.pif"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\Libraries\hsoloqgU.pif"
3⤵
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\hsoloqgU.pif
Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Libraries\hsoloqgU.pif
Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
memory/1480-150-0x0000000002470000-0x0000000002481000-memory.dmp

Filesize
68KB

Download
memory/1480-143-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1480-148-0x0000000002500000-0x000000000284A000-memory.dmp

Filesize
3.3MB

Download
memory/1480-149-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/1480-154-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3216-151-0x00000000027D0000-0x0000000002939000-memory.dmp

Filesize
1.4MB

Download
memory/3216-165-0x0000000008610000-0x0000000008798000-memory.dmp

Filesize
1.5MB

Download
memory/3216-163-0x0000000008610000-0x0000000008798000-memory.dmp

Filesize
1.5MB

Download
memory/3216-162-0x0000000008610000-0x0000000008798000-memory.dmp

Filesize
1.5MB

Download
memory/3264-157-0x00000000006A0000-0x00000000006CB000-memory.dmp

Filesize
172KB

Download
memory/3264-153-0x0000000000C30000-0x0000000000C44000-memory.dmp

Filesize
80KB

Download
memory/3264-156-0x0000000000C30000-0x0000000000C44000-memory.dmp

Filesize
80KB

Download
memory/3264-158-0x00000000025D0000-0x000000000291A000-memory.dmp

Filesize
3.3MB

Download
memory/3264-159-0x00000000006A0000-0x00000000006CB000-memory.dmp

Filesize
172KB

Download
memory/3264-161-0x00000000023F0000-0x0000000002480000-memory.dmp

Filesize
576KB

Download
memory/4680-133-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4680-141-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/4680-134-0x00000000023B0000-0x00000000023E2000-memory.dmp

Filesize
200KB

Download
memory/4680-136-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4680-142-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads