modiloader | 5c9bb9046742d87cecc0707c790bbb880430b28abea4b2d34f93e25a431ba1cf

Resubmissions

23-11-2022 17:40

221123-v8zm2sbc62 10

23-11-2022 08:29

221123-kdqrjscc7v 10

Analysis

max time kernel
44s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Okihbllr.exe
Size

813KB
MD5

075d9c52498f73266ac8e6b6dc93338f
SHA1

9e5de0203a144c2098def6c56521ac80bbac715e
SHA256

5c9bb9046742d87cecc0707c790bbb880430b28abea4b2d34f93e25a431ba1cf
SHA512

9bffb68e80dd59d7da8783dd92441daf914d9ead0f13376570668172b139ac18843b2be7a71617000ef32b95397e08bc9ffe796a3e38d5da708e94c674088207
SSDEEP

12288:vOrAkZrlpZxc3NKqgw9ONuRJooNN5dHVqTdTB2O4rwSMpxwhxPgV:vs3hp4c6/n5q5oOqLM2x4V

Score

10^/10

modiloader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1MBtsjmywyat6GFW-5YPgcumD-ReC9ToK

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-55-0x0000000001FA0000-0x0000000001FCC000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1352 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1316 2032 WerFault.exe Okihbllr.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1352 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1352 powershell.exe

flow	pid	process
4	1352	powershell.exe

pid	pid_target	process	target process
1316	2032	WerFault.exe	Okihbllr.exe

pid	process
1352	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1352	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Okihbllr.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 1552	2032	Okihbllr.exe	cmd.exe
PID 2032 wrote to memory of 1552	2032	Okihbllr.exe	cmd.exe
PID 2032 wrote to memory of 1552	2032	Okihbllr.exe	cmd.exe
PID 2032 wrote to memory of 1552	2032	Okihbllr.exe	cmd.exe
PID 1552 wrote to memory of 1352	1552	cmd.exe	powershell.exe
PID 1552 wrote to memory of 1352	1552	cmd.exe	powershell.exe
PID 1552 wrote to memory of 1352	1552	cmd.exe	powershell.exe
PID 1552 wrote to memory of 1352	1552	cmd.exe	powershell.exe
PID 2032 wrote to memory of 1316	2032	Okihbllr.exe	WerFault.exe
PID 2032 wrote to memory of 1316	2032	Okihbllr.exe	WerFault.exe
PID 2032 wrote to memory of 1316	2032	Okihbllr.exe	WerFault.exe
PID 2032 wrote to memory of 1316	2032	Okihbllr.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Okihbllr.exe
"C:\Users\Admin\AppData\Local\Temp\Okihbllr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\png.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 604
2⤵
- Program crash
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\png.bat

Filesize
100B

MD5
c385a71887d828b1df961942e68ecfe8

SHA1
3f539a56267af3db91be9ac9ea2fd5d803a53279

SHA256
bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

SHA512
83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

Download Submit
C:\Users\Public\Libraries\png.ps1

Filesize
213B

MD5
3ebceae09f2c6f5daeada34a61f97a75

SHA1
ad696c38250e3468fe4d5117238090c70cf4c661

SHA256
880d8e1c9c3de1286a872690f75def5f65dd49c09f5f4567287bc72a072133d5

SHA512
01effc8cbe84c580b6cbadddef91704d2cf810575ad6ccf7d415e9c4823e7802a15f04dd55583e95102cacb954eb4e85aea8225307b82eccbfa756abfa422293

Download Submit
memory/1316-64-0x0000000000000000-mapping.dmp

Download
memory/1352-59-0x0000000000000000-mapping.dmp

Download
memory/1352-61-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-63-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-57-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-55-0x0000000001FA0000-0x0000000001FCC000-memory.dmp

Filesize
176KB

Download