modiloader | 21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731

Analysis

max time kernel
64s
max time network
58s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe
Size

833KB
MD5

8852e37e8b91c314b1f0a7cfb404baf4
SHA1

4dbcbeb9a4508f375fa445acfeb8cdc9de6d8391
SHA256

21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731
SHA512

55b09dbfcccf48f3f11fb12b55842f236db5035ece1bd4f7e9a63b4924639e57d531f19eeeb05d8a927c197bb27bbd8fdce1118439437320b88d6bf011ecf198

Score

10^/10

modiloader trojan

Malware Config

Extracted

Family

modiloader

https://cdn.discordapp.com/attachments/752128569169281083/759306068374847508/Stvd123

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/924-56-0x00000000004E0000-0x000000000053C000-memory.dmp	modiloader_stage1

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

600 924 WerFault.exe 21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe

pid	pid_target	process	target process
600	924	WerFault.exe	21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe

description	pid	process	target process
PID 924 wrote to memory of 600	924	21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe	WerFault.exe
PID 924 wrote to memory of 600	924	21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe	WerFault.exe
PID 924 wrote to memory of 600	924	21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe	WerFault.exe
PID 924 wrote to memory of 600	924	21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe
"C:\Users\Admin\AppData\Local\Temp\21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 732
2⤵
- Program crash
PID:600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-62-0x0000000000000000-mapping.dmp

Download
memory/924-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/924-56-0x00000000004E0000-0x000000000053C000-memory.dmp

Filesize
368KB

Download