Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family ModiLoader
This threat is a Trojan from the ModiLoader malware family, designed to download and execute additional malicious payloads. It leverages multiple built-in Windows tools (LOLBAS) like PowerShell, Mshta, and Rundll32 for stealthy execution and uses techniques like API hooking and scheduled tasks to maintain persistence and evade detection.
Relevant strings associated with this threat: - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID) - |#e6db77e5-3df2-4cf1-b95a-636979351e5b (NID) - }#e6db77e5-3df2-4cf1-b95a-636979351e5b (NID) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) No specific strings found for this threat
Isolate the affected machine from the network immediately to prevent lateral movement. Use antivirus software to remove the threat and run a full system scan for any secondary payloads. Investigate for persistence mechanisms, such as new scheduled tasks, and consider re-imaging the device for complete remediation.