Overview

overview

10

Static

static

TSDPL for GSTR3b.exe

windows7-x64

10

TSDPL for GSTR3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TSDPL for GSTR3b.exe

  • Size

    813KB

  • MD5

    96687cb64b98418c573ee65753a72e33

  • SHA1

    d20ada54342596cd29bf7f66bc86d4503c4cfea4

  • SHA256

    c410af32a481222f15dd9babe626182317e7d76d603d2eb001cccd213a258873

  • SHA512

    b9f4e51985e839ece1f1bfb74ce1c0ffa232f848cdbef5a1c65ed3e703096074b779b509c1369060a96e924d4eae7e80049639e886923271b4d576ca725746b9

  • SSDEEP

    12288:vOrAkZrlpZxc3NKqgw9ONuRJooNN5dHVqTdTB2O4rwSMpxwhxjgV:vs3hp4c6/n5q5oOqLM2x0V

Score
10/10
modiloadertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1Dbjqv3kYu9z-oWAyCtOblfNRuOjXFyFa

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TSDPL for GSTR3b.exe
    "C:\Users\Admin\AppData\Local\Temp\TSDPL for GSTR3b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Libraries\png.bat
    Filesize

    100B

    MD5

    c385a71887d828b1df961942e68ecfe8

    SHA1

    3f539a56267af3db91be9ac9ea2fd5d803a53279

    SHA256

    bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

    SHA512

    83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

    Download Submit

  • C:\Users\Public\Libraries\png.ps1
    Filesize

    213B

    MD5

    534e8fec8b4f4a679ebf8d2cd052cb94

    SHA1

    a75d3f06cee2bb7e78f0fcb4aa97cbc90a7a16b6

    SHA256

    a87f610f71c4c972fad2cc8a7501f2cb6c762075a97e2194f3596d2c15d6414c

    SHA512

    91ef8408df7a9050a09415eac37cbd1bc2853fadd9c0b38a6207b35240037826e11200a42292a69c74154f64338cc3dddf63a45b0bba1d9dc7378d6f93a35200

    Download Submit

  • memory/1696-139-0x0000000004BE0000-0x0000000004C02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1696-136-0x0000000000000000-mapping.dmp

    Download

  • memory/1696-137-0x0000000000E40000-0x0000000000E76000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1696-138-0x0000000004D50000-0x0000000005378000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1696-140-0x00000000053F0000-0x0000000005456000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1696-141-0x0000000005460000-0x00000000054C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1696-142-0x0000000005850000-0x000000000586E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1696-144-0x0000000007180000-0x00000000077FA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1696-145-0x00000000060F0000-0x000000000610A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3488-134-0x0000000000000000-mapping.dmp

    Download

  • memory/5116-132-0x00000000023C0000-0x00000000023EC000-memory.dmp

    Filesize

    176KB

    Download