modiloader | a129810aa792bb7ac1de6bb4eaa9db8fa1fd23bc649d9e0c6f17bbcb75405668

Analysis

max time kernel
142s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe
Size

1.1MB
MD5

3958dafe982242ba8f1f7e7e825ec4a2
SHA1

39a4d7bae94362f847e27a74d6bdde9e67156151
SHA256

efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f
SHA512

84dc7972a23def2db184688e22a7d2a32b0aa574b521e63d180485eac38d154ed67c745b15e55de01990b009248316e05a118ed7d67b84024d890bf0e2664458
SSDEEP

24576:CA0ReRHP4+ngiPzZPQgBt9o/1bIhTmOLp:CUd+gBWbIhaO9

Score

10^/10

modiloader zgrat persistence rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.flowja.com
Port:
587
Username:
[email protected]
Password:
526242227

Signatures

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/732-14-0x0000000049D60000-0x0000000049DBA000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-18-0x0000000049F80000-0x0000000049FDA000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-19-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-36-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-78-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-76-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-74-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-72-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-70-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-68-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-67-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-64-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-62-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-60-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-58-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-56-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-54-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-52-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-48-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-46-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-44-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-42-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-40-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-38-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-34-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-32-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-30-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-28-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-26-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-24-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-22-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-20-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1
behavioral2/memory/732-50-0x0000000049F80000-0x0000000049FD3000-memory.dmp	family_zgrat_v1

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/732-11-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/732-8-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

qhtzuahX.pif

pid process

732 qhtzuahX.pif
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
732	qhtzuahX.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xhauzthq = "C:\\Users\\Public\\Xhauzthq.url"	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 api.ipify.org
30 api.ipify.org

flow	ioc
29	api.ipify.org
30	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe

description	pid	process	target process
PID 536 set thread context of 732	536	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe	qhtzuahX.pif

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

qhtzuahX.pif

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8	qhtzuahX.pif
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8\Blob = 03000000010000001400000027ac9369faf25207bb2627cefaccbe4ef9c319b814000000010000001400000040c2bd278ecc348330a233d7fb6cb3f0b42c80ce04000000010000001000000096c25031bc0dc35cfba723731e1b41400f0000000100000020000000f9ff37f02e632cb7387025c07e57908a3d371b7c95d8cdd0390de231ed943a12190000000100000010000000ce63bdc595635c1c37b040b4e554bf565c00000001000000040000000008000018000000010000001000000021d008b47b7a2a81c8435903ded424c92000000001000000d4040000308204d0308203b8a003020102020107300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3131303530333037303030305a170d3331303530333037303030305a3081b4310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e312d302b060355040b1324687474703a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f313330310603550403132a476f2044616464792053656375726520436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100b9e0cb10d4af76bdd49362eb3064b881086cc304d962178e2fff3e65cf8fce62e63c521cda16454b55ab786b63836290ce0f696c99c81a148b4ccc4533ea88dc9ea3af2bfe80619d7957c4cf2ef43f303c5d47fc9a16bcc3379641518e114b54f828bed08cbef030381ef3b026f86647636dde7126478f384753d1461db4e3dc00ea45acbdbc71d9aa6f00dbdbcd303a794f5f4c47f81def5bc2c49d603bb1b24391d8a4334eeab3d6274fad258aa5c6f4d5d0a6ae7405645788b54455d42d2a3a3ef8b8bde9320a029464c4163a50f14aaee77933af0c20077fe8df0439c269026c6352fa77c11bc87487c8b993185054354b694ebc3bd3492e1fdcc1d252fb0203010001a382011a30820116300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e0416041440c2bd278ecc348330a233d7fb6cb3f0b42c80ce301f0603551d230418301680143a9a8507106728b6eff6bd05416e20c194da0fde303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e676f64616464792e636f6d2f30350603551d1f042e302c302aa028a0268624687474703a2f2f63726c2e676f64616464792e636f6d2f6764726f6f742d67322e63726c30460603551d20043f303d303b0604551d20003033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f300d06092a864886f70d01010b05000382010100087e6c9310c838b896a9904bffa15f4f04ef6c3e9c8806c9508fa673f757311bbebce42fdbf8bad35be0b4e7e679620e0ca2d76a637331b5f5a848a43b082da25d90d7b47c254f115630c4b6449d7b2c9de55ee6ef0c61aabfe42a1bee849eb8837dc143ce44a713700d911ff4c813ad8360d9d872a873241eb5ac220eca17896258441bab892501000fcdc41b62db51b4d30f512a9bf4bc73fc76ce36a4cdd9d82ceaae9bf52ab290d14d75188a3f8a4190237d5b4bfea403589b46b2c3606083f87d5041cec2a190c3bbef022fd21554ee4415d90aaea78a33edb12d763626dc04eb9ff7611f15dc876fee469628ada1267d0a09a72e04a38dbcf8bc043001	qhtzuahX.pif

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

qhtzuahX.pif

pid process

732 qhtzuahX.pif
732 qhtzuahX.pif
732 qhtzuahX.pif
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

qhtzuahX.pif

description pid process

Token: SeDebugPrivilege 732 qhtzuahX.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

qhtzuahX.pif

pid process

732 qhtzuahX.pif

pid	process
732	qhtzuahX.pif
732	qhtzuahX.pif
732	qhtzuahX.pif

description	pid	process
Token: SeDebugPrivilege	732	qhtzuahX.pif

pid	process
732	qhtzuahX.pif

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe

description	pid	process	target process
PID 536 wrote to memory of 2068	536	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe	extrac32.exe
PID 536 wrote to memory of 2068	536	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe	extrac32.exe
PID 536 wrote to memory of 2068	536	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe	extrac32.exe
PID 536 wrote to memory of 732	536	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe	qhtzuahX.pif
PID 536 wrote to memory of 732	536	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe	qhtzuahX.pif
PID 536 wrote to memory of 732	536	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe	qhtzuahX.pif
PID 536 wrote to memory of 732	536	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe	qhtzuahX.pif
PID 536 wrote to memory of 732	536	efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe	qhtzuahX.pif

C:\Users\Admin\AppData\Local\Temp\efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe
"C:\Users\Admin\AppData\Local\Temp\efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\extrac32.exe
  C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe C:\\Users\\Public\\Libraries\\Xhauzthq.PIF
  2⤵
  PID:2068
- C:\Users\Public\Libraries\qhtzuahX.pif
  C:\Users\Public\Libraries\qhtzuahX.pif
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
1⤵
PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\qhtzuahX.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
memory/536-0-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/536-12-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/732-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/732-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/732-13-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

Filesize
4KB

Download
memory/732-14-0x0000000049D60000-0x0000000049DBA000-memory.dmp

Filesize
360KB

Download
memory/732-15-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/732-16-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/732-17-0x000000004C470000-0x000000004CA14000-memory.dmp

Filesize
5.6MB

Download
memory/732-18-0x0000000049F80000-0x0000000049FDA000-memory.dmp

Filesize
360KB

Download
memory/732-19-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-36-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-78-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-76-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-74-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-72-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-70-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-68-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-67-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-64-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-62-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-60-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-58-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-56-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-54-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-52-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-48-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-46-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-44-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-42-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-40-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-38-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-34-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-32-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-30-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-28-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-26-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-24-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-22-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-20-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-50-0x0000000049F80000-0x0000000049FD3000-memory.dmp

Filesize
332KB

Download
memory/732-1069-0x000000004CA20000-0x000000004CA86000-memory.dmp

Filesize
408KB

Download
memory/732-1070-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/732-1071-0x000000004DB40000-0x000000004DB90000-memory.dmp

Filesize
320KB

Download
memory/732-1072-0x000000004DB90000-0x000000004DC2C000-memory.dmp

Filesize
624KB

Download
memory/732-1076-0x000000004DD70000-0x000000004DE02000-memory.dmp

Filesize
584KB

Download
memory/732-1077-0x000000004E1C0000-0x000000004E1CA000-memory.dmp

Filesize
40KB

Download
memory/732-1078-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

Filesize
4KB

Download
memory/732-1079-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download