modiloader | abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477

General

Target

abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe
Size

1.3MB
MD5

0d0e5d826209927eb07f4e393eff6f90
SHA1

0cc3c1a211c87f4b13aea8a53b043dcdc0a375d9
SHA256

abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477
SHA512

7750dfff7fe5138c8850e2141cd1e7b7c44b95a7693c82056bdf9372bea7033ce93b4ec558533afdefb63d99885822f2c9dda4e18cfc7fa3ee266c9663fdd0f3
SSDEEP

24576:L8EX1B+OLhKrDdPGrevewoRpaK8ui+8qG7Edy3+0:9Brm685j3+0

Score

10^/10

modiloader njrat vnhax discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

vnhax

C2

fr3onm9r.ddns.net:5566

Mutex

dae31c02cb06222e776b9ccb9207edb1

Attributes

reg_key
dae31c02cb06222e776b9ccb9207edb1
splitter
|'|'|

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2700-15-0x0000000000400000-0x000000000055D000-memory.dmp	modiloader_stage2

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1908	Server.exe
2540	VnHaxLoader.exe
2292	._cache_VnHaxLoader.exe
2848	Synaptics.exe
2788	system.exe
1880	._cache_Synaptics.exe

Loads dropped DLL 10 IoCs

pid	Process
2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe
2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe
2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe
2540	VnHaxLoader.exe
2540	VnHaxLoader.exe
2540	VnHaxLoader.exe
2540	VnHaxLoader.exe
1908	Server.exe
2848	Synaptics.exe
2848	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	VnHaxLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VnHaxLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_VnHaxLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2920	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	._cache_VnHaxLoader.exe
Token: SeDebugPrivilege	1880	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2920	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1908	2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe	30
PID 2700 wrote to memory of 1908	2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe	30
PID 2700 wrote to memory of 1908	2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe	30
PID 2700 wrote to memory of 1908	2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe	30
PID 2700 wrote to memory of 2540	2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe	31
PID 2700 wrote to memory of 2540	2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe	31
PID 2700 wrote to memory of 2540	2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe	31
PID 2700 wrote to memory of 2540	2700	abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe	31
PID 2540 wrote to memory of 2292	2540	VnHaxLoader.exe	32
PID 2540 wrote to memory of 2292	2540	VnHaxLoader.exe	32
PID 2540 wrote to memory of 2292	2540	VnHaxLoader.exe	32
PID 2540 wrote to memory of 2292	2540	VnHaxLoader.exe	32
PID 2540 wrote to memory of 2848	2540	VnHaxLoader.exe	34
PID 2540 wrote to memory of 2848	2540	VnHaxLoader.exe	34
PID 2540 wrote to memory of 2848	2540	VnHaxLoader.exe	34
PID 2540 wrote to memory of 2848	2540	VnHaxLoader.exe	34
PID 1908 wrote to memory of 2788	1908	Server.exe	35
PID 1908 wrote to memory of 2788	1908	Server.exe	35
PID 1908 wrote to memory of 2788	1908	Server.exe	35
PID 1908 wrote to memory of 2788	1908	Server.exe	35
PID 2848 wrote to memory of 1880	2848	Synaptics.exe	36
PID 2848 wrote to memory of 1880	2848	Synaptics.exe	36
PID 2848 wrote to memory of 1880	2848	Synaptics.exe	36
PID 2848 wrote to memory of 1880	2848	Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe
"C:\Users\Admin\AppData\Local\Temp\abe7301bf2f32f652c0317068168387a2828f27d1c755e2fda2336c0208c7477N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Roaming\system.exe
    "C:\Users\Admin\AppData\Roaming\system.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Users\Admin\AppData\Local\Temp\VnHaxLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\VnHaxLoader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\._cache_VnHaxLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_VnHaxLoader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1880

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JW3ihaEI.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\VnHaxLoader.exe

Filesize
1.3MB

MD5
81182d0ae27b28498dcd8820682ae70b

SHA1
daf3e3447a9cd7d732144319116a3284ea75ef61

SHA256
6a0a53359f71be40fc8542d147773bd8f951afb0f800bf8f6eaec71c562a8989

SHA512
7479cd1a2ef9dcc68dccf79e3e9a94319912f402b9cfd37f429db1a8c2fb59bfae7abb6810df56d1d068476cb1e9a7aaddd5c15c1583ac88a13e5ddce308b725

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9bmwOCtCYE7dD.exe

Filesize
2.7MB

MD5
65530d1835bf07aa364695a81116ebcb

SHA1
4a43e4410f8ea98a6c97aa1defa5b533d04c6930

SHA256
add4c84b9f3e2781009544d843ce02801e47c20e9a94fc5debd7ec7cac2a0d54

SHA512
18c4743dc8d6c843aa3f502f91c39b7b2bd8fc3951f8bb43fe3d31f98b0d6ede1f56571cc87645235d477b23eb34afe3a1e2499a17347bf26d7c2f238c6e788d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_VnHaxLoader.exe

Filesize
570KB

MD5
14d46a9cd56d0da083c316ca9f80a001

SHA1
549c08fb626f69f2dbb1f0d80e0247ad791880a7

SHA256
736999c63ce30d23e5f30b1cafc4ecfe4ce0411c2aaa69e762ed8f7286e63e66

SHA512
f74dded1913aef8442f653ada06d672a73cfdee51257a2747558520b85441b26cc6a7a39670d35800a8fc25065f19a21023154d3a98df875c5fe0463641aac30

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
29KB

MD5
e8859169d3e803cc1a7aa9a98b13e5d7

SHA1
1c9e97262eff1ed0a2ef05590661bd74c7546df2

SHA256
60d110d1f918610754ec9c9919b7beaa8ddef6c3bff2ae00499593652f339ab4

SHA512
2ef847ecea75ff90410ac4f776b467898d17dd01622e55a7ff75050acf2725d1568ffc45680d7058e450d435fdbbcf77b3017fb3cb32f2da5167e53aed62b0a7

Download Submit
memory/1908-20-0x00000000020D0000-0x0000000002110000-memory.dmp

Filesize
256KB

Download
memory/2540-17-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2540-46-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2700-15-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/2848-95-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2848-96-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2848-128-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2920-63-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads