modiloader | 0d6e873aa8faee0a896e6ac7679a216585933bc29bdd2c1bc006ce56a6e86818

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/NetWire.exe
Size

1.2MB
MD5

7621f79a7f66c25ad6c636d5248abeb9
SHA1

98304e41f82c3aee82213a286abdee9abf79bcce
SHA256

086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d
SHA512

59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd
SSDEEP

24576:nBlDgE7EmXWAqSvg439vGSVNe1/hqIiHSvd7:n7DlC+GSjiBiyF

Score

10^/10

modiloader netwire botnet persistence rat stealer trojan

Malware Config

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

netwire

tamerimia.ug:6975

vbchjfssdfcxbcver.ru:6975

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
AAAAA
lock_executable
false
mutex
CQbRXVuG
offline_keylogger
false
password
jhbkdcfgvdfgknl
registry_autorun
false
use_mutex
true

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral13/memory/3784-5386-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral13/memory/3784-5435-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral13/memory/2744-4215-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1
behavioral13/memory/2744-4258-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

Executes dropped EXE 2 IoCs

Processes:

fodhelper.exefodhelper.exe

pid process

1828 fodhelper.exe
1480 fodhelper.exe

pid	process
1828	fodhelper.exe
1480	fodhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NetWire.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 drive.google.com
3 drive.google.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

NetWire.exe

description pid process target process

PID 2744 set thread context of 3784 2744 NetWire.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

3712 reg.exe
3776 reg.exe
4032 reg.exe

flow	ioc
2	drive.google.com
3	drive.google.com

description	pid	process	target process
PID 2744 set thread context of 3784	2744	NetWire.exe	ieinstal.exe

pid	process
3712	reg.exe
3776	reg.exe
4032	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NetWire.exe

description	pid	process	target process
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe
PID 2208 wrote to memory of 2744	2208	NetWire.exe	NetWire.exe

C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\NetWire.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2744

C:\Windows\SysWOW64\Notepad.exe
C:\Windows\System32\Notepad.exe
3⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Natso.bat" "
4⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
5⤵
- Modifies registry key
PID:3712

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
5⤵
- Modifies registry key
PID:3776

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
5⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
5⤵
- Modifies registry key
PID:4032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Runex.bat" "
4⤵
PID:2716

C:\Windows \System32\fodhelper.exe
"C:\Windows \System32\fodhelper.exe"
5⤵
- Executes dropped EXE
PID:1828

C:\Windows \System32\fodhelper.exe
"C:\Windows \System32\fodhelper.exe"
5⤵
- Executes dropped EXE
PID:1480

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Natso.bat
Filesize
283B

MD5
5cc1682955fd9f5800a8f1530c9a4334

SHA1
e09b6a4d729f2f4760ee42520ec30c3192c85548

SHA256
5562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3

SHA512
80767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6

Download Submit
C:\Users\Public\Runex.bat
Filesize
226B

MD5
f6828e22e6abe87c624e4683fac5889b

SHA1
b93d63354d4ddb226dab90955576a6d2cad05ba0

SHA256
e1b1884353a51436f90dfed9f85ed9dd98fccfbd13dee7aa54fd901f77fe5e9c

SHA512
26afb36afcb3f286b85ebd72061e26f84c33075d3d0767cc93f50ec414a85838c86049e0c56ff43011d1a309b98ae355cbe412203429ac243010dc971ac81ec1

Download Submit
C:\Users\Public\fodhelper.exe
Filesize
46KB

MD5
7215c73ec1aae35b9e4b1f22c811f85c

SHA1
98551f5184691b65dceba531c4e4975d77cd25a5

SHA256
7e80da8d839dcf05e30317256460ed7a4ee25cab2750d768569aaab35e1e8c64

SHA512
b68eed48dbd32e485fd56b952e3e642f25f1eefe26ea533b13857e225272ee9668c39552284a438175a323d1685a80d9f878ef0637b5d928bb1e1ed1ac505d61

Download Submit
C:\Users\Public\propsys.dll
Filesize
108KB

MD5
487766bf2f0add388cb123d1ef7ece46

SHA1
766564c04d9e8a6745baa2ad28da5d68ad1d79bf

SHA256
fa5d5f9bd3a3aece8941e52a00d05db8910d3332f4f276bc03663c7944ae11cb

SHA512
3b5c285c4eb749c5e34405b38e146e9fc3fe28c535ee12c4e0f075e167768f37b588e50c2dbd43a27b67b11e7483ad51fcd6b6e7638059dd40bc303c664a8a7e

Download Submit
memory/2208-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2716-5425-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2744-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2744-4258-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/2744-4215-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/2744-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2744-17-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/3324-4260-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3324-5357-0x0000000010480000-0x00000000104C4000-memory.dmp

Filesize
272KB

Download
memory/3324-4294-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/3324-4230-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/3324-4227-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3324-5431-0x0000000010480000-0x00000000104C4000-memory.dmp

Filesize
272KB

Download
memory/3324-5440-0x0000000010480000-0x00000000104C4000-memory.dmp

Filesize
272KB

Download
memory/3784-5386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-5435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download