modiloader | 5c9bb9046742d87cecc0707c790bbb880430b28abea4b2d34f93e25a431ba1cf

Resubmissions

23-11-2022 17:40

23-11-2022 08:29

max time kernel
329s
max time network
399s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 08:29

Target

Okihbllr.exe
Size

813KB
MD5

075d9c52498f73266ac8e6b6dc93338f
SHA1

9e5de0203a144c2098def6c56521ac80bbac715e
SHA256

5c9bb9046742d87cecc0707c790bbb880430b28abea4b2d34f93e25a431ba1cf
SHA512

9bffb68e80dd59d7da8783dd92441daf914d9ead0f13376570668172b139ac18843b2be7a71617000ef32b95397e08bc9ffe796a3e38d5da708e94c674088207
SSDEEP

12288:vOrAkZrlpZxc3NKqgw9ONuRJooNN5dHVqTdTB2O4rwSMpxwhxPgV:vs3hp4c6/n5q5oOqLM2x4V

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/712-132-0x0000000000820000-0x000000000084C000-memory.dmp	modiloader_stage2

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2144 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2144 powershell.exe

pid	process
2144	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2144	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Okihbllr.execmd.exe

description	pid	process	target process
PID 712 wrote to memory of 1408	712	Okihbllr.exe	cmd.exe
PID 712 wrote to memory of 1408	712	Okihbllr.exe	cmd.exe
PID 712 wrote to memory of 1408	712	Okihbllr.exe	cmd.exe
PID 1408 wrote to memory of 2144	1408	cmd.exe	powershell.exe
PID 1408 wrote to memory of 2144	1408	cmd.exe	powershell.exe
PID 1408 wrote to memory of 2144	1408	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Okihbllr.exe
"C:\Users\Admin\AppData\Local\Temp\Okihbllr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Public\Libraries\png.bat
Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
memory/712-132-0x0000000000820000-0x000000000084C000-memory.dmp

Filesize
176KB

Download
memory/1408-134-0x0000000000000000-mapping.dmp

Download
memory/2144-136-0x0000000000000000-mapping.dmp

Download
memory/2144-137-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

Filesize
216KB

Download
memory/2144-138-0x00000000055B0000-0x0000000005BD8000-memory.dmp

Filesize
6.2MB

Download
memory/2144-139-0x00000000054E0000-0x0000000005502000-memory.dmp

Filesize
136KB

Download
memory/2144-140-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/2144-141-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download