modiloader | 0fa91b5908e67e139b25b626a047da5ab3003187d0b22ccad00cce2e503a350f

General

Target

New Order.exe
Size

1.2MB
MD5

eec43b73ccd5f26bbaba81ffc080a573
SHA1

09a79460db647ec8c12328bfc9b8c4daaa86cf72
SHA256

939863edcaf7c655fb6e3020bdfe5138bf6e61faa3d3b037f113216ccc1be55a
SHA512

a45a33f0de9c282f78001bd0c9621e5f86dc82466f51c669015f1eb3a94c60c9adc7ebcd5e881a237f2271b3fe3056155255e2e8e6e75129ee631ba4d07d8e97

Score

10^/10

modiloader trojan

Malware Config

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1CrIxeE3bKxWj_7ScJWKAZssR-K0cjUiK&export=download

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5016-132-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1
behavioral2/memory/1356-140-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe
PID 5016 wrote to memory of 1356	5016	New Order.exe	New Order.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
2⤵
PID:1356

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x394 0x33c
1⤵
PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-131-0x0000000000000000-mapping.dmp

Download
memory/1356-140-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/5016-132-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing