modiloader | c93a7022c0677da84789c7770d60c1cb7d4534d552d3b985711bc1c1519ad016 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

c93a7022c0...16.exe

windows7-x64

c93a7022c0...16.exe

windows10-2004-x64

Sharing

General

Target

c93a7022c0677da84789c7770d60c1cb7d4534d552d3b985711bc1c1519ad016
Size

603KB
Sample

221029-e7fksacahq
MD5

b0b97a3c4739fbcd9e7db5049c0d1f25
SHA1

aeb8b08bf5179e895a2f28f950ff31946cf0565b
SHA256

c93a7022c0677da84789c7770d60c1cb7d4534d552d3b985711bc1c1519ad016
SHA512

92a1ed6151e4f2a5aef3105d295930ce0b6878c4617ddbd5098bd3978e4063a8e9d290ba04905cd69567dcedae177ae68b64c297621fcacc0faf727212d8ef7e
SSDEEP

12288:6eeWaQehiM7jTD13IFjrhLytIwPWNrYlkdsFizVa0:gQui0JYTyXPsElLFKVr

Score

10^/10

modiloader evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

c93a7022c0677da84789c7770d60c1cb7d4534d552d3b985711bc1c1519ad016.exe

Resource

win7-20220901-en

modiloader evasion persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

c93a7022c0677da84789c7770d60c1cb7d4534d552d3b985711bc1c1519ad016.exe

Resource

win10v2004-20220812-en

modiloader evasion persistence trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  c93a7022c0677da84789c7770d60c1cb7d4534d552d3b985711bc1c1519ad016
- Size
  
  603KB
- MD5
  
  b0b97a3c4739fbcd9e7db5049c0d1f25
- SHA1
  
  aeb8b08bf5179e895a2f28f950ff31946cf0565b
- SHA256
  
  c93a7022c0677da84789c7770d60c1cb7d4534d552d3b985711bc1c1519ad016
- SHA512
  
  92a1ed6151e4f2a5aef3105d295930ce0b6878c4617ddbd5098bd3978e4063a8e9d290ba04905cd69567dcedae177ae68b64c297621fcacc0faf727212d8ef7e
- SSDEEP
  
  12288:6eeWaQehiM7jTD13IFjrhLytIwPWNrYlkdsFizVa0:gQui0JYTyXPsElLFKVr
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Software Discovery

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderevasionpersistencetrojan

behavioral2

modiloaderevasionpersistencetrojan

© 2018-2025

Terms | Privacy