modiloader | 0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2025, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe
Size

1.8MB
MD5

f6118d60f7bf36f088b6b7a2c27624fb
SHA1

7eff62e10421088c83d4c74fd8d4f54e145a6b97
SHA256

0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc
SHA512

7e7a0bd571fc7719b951c3efbd38eb82235d1a2568b8c36b7cae4b09513fc77113531e0c88ec36a876ed6fdcedc55e25067b8a9ec2277f9441f75312a1957bff
SSDEEP

49152:CWFuLZoC0CGIAOzi6UDCTDi6RTqOLSTb:CWFuLaQ7L8iDPMOLGb

Score

10^/10

modiloader vipkeylogger collection discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

vipkeylogger

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/220-2-0x0000000002F90000-0x0000000003F90000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	ndpha.pif

Executes dropped EXE 5 IoCs

pid	Process
4320	ndpha.pif
2388	svchost.pif
4304	alpha.pif
1244	aken.pif
1048	hzwdvhxM.pif

Loads dropped DLL 1 IoCs

pid	Process
2388	svchost.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hzwdvhxM.pif
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hzwdvhxM.pif
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hzwdvhxM.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mxhvdwzh = "C:\\Users\\Public\\Mxhvdwzh.url"	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	checkip.dyndns.org
12	reallyfreegeoip.org
13	reallyfreegeoip.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 1048	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	101

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hzwdvhxM.pif

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1244	aken.pif
1244	aken.pif
1048	hzwdvhxM.pif
1048	hzwdvhxM.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1048	hzwdvhxM.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	aken.pif
Token: SeDebugPrivilege	1048	hzwdvhxM.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1048	hzwdvhxM.pif

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4748	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	87
PID 220 wrote to memory of 4748	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	87
PID 220 wrote to memory of 4748	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	87
PID 220 wrote to memory of 4280	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	89
PID 220 wrote to memory of 4280	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	89
PID 220 wrote to memory of 4280	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	89
PID 4280 wrote to memory of 2288	4280	cmd.exe	91
PID 4280 wrote to memory of 2288	4280	cmd.exe	91
PID 4280 wrote to memory of 2288	4280	cmd.exe	91
PID 4280 wrote to memory of 4320	4280	cmd.exe	92
PID 4280 wrote to memory of 4320	4280	cmd.exe	92
PID 4280 wrote to memory of 4320	4280	cmd.exe	92
PID 4320 wrote to memory of 2388	4320	ndpha.pif	93
PID 4320 wrote to memory of 2388	4320	ndpha.pif	93
PID 2388 wrote to memory of 1876	2388	svchost.pif	94
PID 2388 wrote to memory of 1876	2388	svchost.pif	94
PID 1876 wrote to memory of 1236	1876	cmd.exe	96
PID 1876 wrote to memory of 1236	1876	cmd.exe	96
PID 1876 wrote to memory of 3572	1876	cmd.exe	97
PID 1876 wrote to memory of 3572	1876	cmd.exe	97
PID 1876 wrote to memory of 3532	1876	cmd.exe	98
PID 1876 wrote to memory of 3532	1876	cmd.exe	98
PID 1876 wrote to memory of 4304	1876	cmd.exe	99
PID 1876 wrote to memory of 4304	1876	cmd.exe	99
PID 4304 wrote to memory of 1244	4304	alpha.pif	100
PID 4304 wrote to memory of 1244	4304	alpha.pif	100
PID 220 wrote to memory of 1048	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	101
PID 220 wrote to memory of 1048	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	101
PID 220 wrote to memory of 1048	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	101
PID 220 wrote to memory of 1048	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	101
PID 220 wrote to memory of 1048	220	0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe	101

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hzwdvhxM.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hzwdvhxM.pif

C:\Users\Admin\AppData\Local\Temp\0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe
"C:\Users\Admin\AppData\Local\Temp\0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\MxhvdwzhF.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Mxhvdwzh40.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\Users\Public\ndpha.pif
    C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows \SysWOW64\svchost.pif
      "C:\Windows \SysWOW64\svchost.pif"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        6⤵
        
        PID:1236
      - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        6⤵
        
        PID:3572
      - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        6⤵
        
        PID:3532
      - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
- C:\Users\Public\Libraries\hzwdvhxM.pif
  C:\Users\Public\Libraries\hzwdvhxM.pif
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aonir34t.20k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\Mxhvdwzh40.cmd

Filesize
18KB

MD5
d202469089fa5ec9032f44408562f842

SHA1
bb493815fa079fd19529c25fd0964bc0ae0af26e

SHA256
9c330f29b95689d3ab2f7a461479cd87869464cc03e53b0d8ff5727baa8da979

SHA512
35788359b8092be103fce441fdb3a306d6697f16d752dd1300b1be65cd774f20bc24fd633c276d91d231c0295e57ab7f36aa9ff340a81c0b105681bc7a906ad5

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
28KB

MD5
d9b276c49813262ba64f91b640235ba9

SHA1
aec725ff0f08798f9fc4248db95461b96f75dd15

SHA256
67bb0e1739291769728fe9e8a77f6e8f5cf506ccf617d55a3349b0a7542d49a5

SHA512
95b3079a55ca05fd92b92985ade1ba955323752930766d6fb968e6981125dcac4b9a65f93dde17319980dd88c03540ceeb2faf66890d2e8f9358f25387058ee4

Download Submit
C:\Users\Public\Libraries\hzwdvhxM.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\MxhvdwzhF.cmd

Filesize
13KB

MD5
616f542f94791979d27798e12fe9374b

SHA1
a1d2b9c37d76e14fc3e8424644012c32754e8338

SHA256
d3c9ddaa8debfa28bfdff1dfc8c5ba4e11e39c7d9029ead83c874fcfc8325ddb

SHA512
431c38a99970f6e808966c333a345776537fa85ee1c427b9a4d72333542b30461955e93527c1d7771444d738ded79116d84cc0623638182f2de8f4a07593a1cf

Download Submit
C:\Users\Public\aken.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ndpha.pif

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows \SysWOW64\NETUTILS.dll

Filesize
111KB

MD5
b124b37740d85c220735af1820b8dbaa

SHA1
cb11862a0ed2cde7459402256d6efb73d709e6fd

SHA256
da2b7b6cb51fff82cf18dc102e248ec90dde31c916cfa3c2b54563583c04d0c7

SHA512
3beec303bfd6f9090d2a4868c109830db919926bcb5e2def5bdfe01b7260d59247db41ff7a1bbe5be8294def1efe6feda2591fe45e67a1ae5bd4b47bb1a24d3d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
memory/220-0-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/220-4-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/220-5-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/220-2-0x0000000002F90000-0x0000000003F90000-memory.dmp

Filesize
16.0MB

Download
memory/220-1-0x0000000002F90000-0x0000000003F90000-memory.dmp

Filesize
16.0MB

Download
memory/1048-73-0x00000000259A0000-0x00000000259F0000-memory.dmp

Filesize
320KB

Download
memory/1048-69-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1048-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1048-71-0x0000000023460000-0x00000000234B0000-memory.dmp

Filesize
320KB

Download
memory/1048-72-0x0000000025B30000-0x00000000260D4000-memory.dmp

Filesize
5.6MB

Download
memory/1048-74-0x00000000259F0000-0x0000000025A8C000-memory.dmp

Filesize
624KB

Download
memory/1048-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1048-76-0x0000000026E70000-0x0000000027032000-memory.dmp

Filesize
1.8MB

Download
memory/1048-77-0x0000000027080000-0x00000000270D0000-memory.dmp

Filesize
320KB

Download
memory/1048-78-0x0000000027160000-0x00000000271F2000-memory.dmp

Filesize
584KB

Download
memory/1048-79-0x0000000027600000-0x000000002760A000-memory.dmp

Filesize
40KB

Download
memory/1244-49-0x000002B16B320000-0x000002B16B342000-memory.dmp

Filesize
136KB

Download
memory/2388-33-0x00000000613C0000-0x00000000613E3000-memory.dmp

Filesize
140KB

Download