modiloader | 17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651

General

Target

17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe
Size

572KB
MD5

29577e31ffe7d4818d7a90541d821230
SHA1

3c0be81dca7b46c792fefbe0bd8dd496016facc8
SHA256

17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651
SHA512

9bd2d201b1d2d039423591a9df354127d147d30bf4f2e989a1c11dbf1e725d27a325703ed58d978a23bd7935680c21ac7d27468391a4f1cf8240a69e326ae42e
SSDEEP

12288:us2w8hvkR2OWhNlGIZ0igJTtCThXP68d+FRCZtR8WHxh7bBIr0:T2wC88OWhDDsJTtoNgDKrphWg

Score

10^/10

modiloader discovery spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1684-28-0x0000000000400000-0x0000000000496000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
300	ßáíä.exe
1036	ßáíä.exe

Loads dropped DLL 3 IoCs

pid	Process
1684	17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe
1684	17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe
300	ßáíä.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 300 set thread context of 1036	300	ßáíä.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ßáíä.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	ßáíä.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.google.com/cse?cx=partner-pub-9588033570232632:rhmyra-cwbb&q={searchTerms}"	ßáíä.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Google"	ßáíä.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	ßáíä.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	ßáíä.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadUpdates = "398336"	ßáíä.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	ßáíä.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "file://localhost/C:/www.google.com.htm"	ßáíä.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1036	ßáíä.exe
1036	ßáíä.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2436	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2436	DllHost.exe
2436	DllHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 300	1684	17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe	30
PID 1684 wrote to memory of 300	1684	17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe	30
PID 1684 wrote to memory of 300	1684	17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe	30
PID 1684 wrote to memory of 300	1684	17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe	30
PID 300 wrote to memory of 1036	300	ßáíä.exe	31
PID 300 wrote to memory of 1036	300	ßáíä.exe	31
PID 300 wrote to memory of 1036	300	ßáíä.exe	31
PID 300 wrote to memory of 1036	300	ßáíä.exe	31
PID 300 wrote to memory of 1036	300	ßáíä.exe	31
PID 300 wrote to memory of 1036	300	ßáíä.exe	31
PID 300 wrote to memory of 1036	300	ßáíä.exe	31
PID 1036 wrote to memory of 1188	1036	ßáíä.exe	21
PID 1036 wrote to memory of 1188	1036	ßáíä.exe	21
PID 1036 wrote to memory of 1188	1036	ßáíä.exe	21
PID 1036 wrote to memory of 1188	1036	ßáíä.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe
  "C:\Users\Admin\AppData\Local\Temp\17b13a041ab3c33b2df855720e1d1b13d483e9dcead59cd5095719031ec94651N.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\ßáíä.exe
    "C:\Users\Admin\AppData\Local\Temp\ßáíä.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Users\Admin\AppData\Local\Temp\ßáíä.exe
      C:\Users\Admin\AppData\Local\Temp\ßáíä.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1036

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3D Wallpapers Collection 27.jpg

Filesize
495KB

MD5
c5a27cd076ba0c97d261674c3a30234d

SHA1
5e00601aed5769978366fbbad502e43212041c6c

SHA256
9367ccc0dfcc1c920451e78766c9c1b5592be64e9b50c3d4350cbf09db86ba92

SHA512
64c6c08c41583dda07f5a1ef49d4711d83533bcd77e96480c53db10d8d3c77452d5a075b78d7eb26bce58cab69063ec192bf729bb1ac409cea5be72f7c7942f6

Download Submit
\Users\Admin\AppData\Local\Temp\ßáíä.exe

Filesize
66KB

MD5
1ac0da80e149e476bc101f584d50bf85

SHA1
295af024da94c7bff9af72a0c8ce6656fcf48d23

SHA256
df662e9284f3da2a5b66d52920d832a796cf9ce7c944e1cf84f7cbf431be1c5a

SHA512
2854fa55fead865e640576e91b652dd2ebdf536d1790031ac9c850bfeac7c8b67cdb5a15b00fdd29356452a93b2d36731aec13a062e83d1e696709efc5706172

Download Submit
memory/1036-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1036-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1036-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1036-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1036-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1036-42-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1188-30-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1188-33-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1684-26-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/1684-28-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2436-27-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads