modiloader | 5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c

Analysis

max time kernel
46s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 22:04

Target

5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe
Size

284KB
MD5

613b2df5244a97613834c4f02dd284a0
SHA1

fab18c3fa0b4ad192fd6fcc141913882583938cd
SHA256

5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c
SHA512

4a3f6b577518f06756a33ccd2dff088e796fa03163b4eea3856cd6dea4cf0716f259dba0958b99b7f80205f9ae109e09296780c22d472650039903716164690d
SSDEEP

6144:R2eK9yFB2MnaL3iKd4zgzto3dWaO5f9LGENjznX:7a3rD7d4zMtedk7/X

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/1712-58-0x0000000000400000-0x0000000000437000-memory.dmp	modiloader_stage2
behavioral1/memory/1712-59-0x0000000000402E50-mapping.dmp	modiloader_stage2
behavioral1/memory/1712-65-0x0000000000400000-0x0000000000437000-memory.dmp	modiloader_stage2
behavioral1/memory/1712-67-0x0000000000440000-0x000000000050A000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 set thread context of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28
PID 1932 wrote to memory of 1712	1932	5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe	28

C:\Users\Admin\AppData\Local\Temp\5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe
"C:\Users\Admin\AppData\Local\Temp\5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe
  "C:\Users\Admin\AppData\Local\Temp\5656474312a7e6020bff2f84dc024957a06a434c1371d43ef693c7c1f96cf65c.exe"
  2⤵
  PID:1712

memory/1712-58-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-65-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-67-0x0000000000440000-0x000000000050A000-memory.dmp

Filesize
808KB

Download
memory/1932-56-0x0000000003F41000-0x0000000003F44000-memory.dmp

Filesize
12KB

Download
memory/1932-57-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1932-63-0x0000000003F41000-0x0000000003F44000-memory.dmp

Filesize
12KB

Download