modiloader | 1707785106445bf2739a351ab8d200015920752c2de957d950599a71d463c6f2 | Triage

Submit
Reports

Overview

overview

Static

static

1707785106...f2.exe

windows7-x64

1707785106...f2.exe

windows10-2004-x64

Sharing

General

Target

1707785106445bf2739a351ab8d200015920752c2de957d950599a71d463c6f2
Size

1.1MB
Sample

221124-eaw69sac4t
MD5

a87e39a2994260ace4ff450bc209eaa8
SHA1

a6772a1894a70969764e56f7575d838980ccd33b
SHA256

1707785106445bf2739a351ab8d200015920752c2de957d950599a71d463c6f2
SHA512

00f2ad75748dbf63e952c80c0e3140bf251c9b9e8e72b508b9ffdd9602ee3c499860866da73b677ab76005d7556684f217ba39b1fa94e4baee15adb4e67a1a0e
SSDEEP

24576:fOdeuxwMYxd+LZNUVwTgSluLV8+rfibJ4G8Jxxk+X0o4C4HMirof:mdpxlYxYUwgssZfA4G8JxxGF

Score

10^/10

modiloader evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

1707785106445bf2739a351ab8d200015920752c2de957d950599a71d463c6f2.exe

Resource

win7-20220812-en

modiloader evasion persistence trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

1707785106445bf2739a351ab8d200015920752c2de957d950599a71d463c6f2.exe

Resource

win10v2004-20221111-en

modiloader evasion persistence trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  1707785106445bf2739a351ab8d200015920752c2de957d950599a71d463c6f2
- Size
  
  1.1MB
- MD5
  
  a87e39a2994260ace4ff450bc209eaa8
- SHA1
  
  a6772a1894a70969764e56f7575d838980ccd33b
- SHA256
  
  1707785106445bf2739a351ab8d200015920752c2de957d950599a71d463c6f2
- SHA512
  
  00f2ad75748dbf63e952c80c0e3140bf251c9b9e8e72b508b9ffdd9602ee3c499860866da73b677ab76005d7556684f217ba39b1fa94e4baee15adb4e67a1a0e
- SSDEEP
  
  24576:fOdeuxwMYxd+LZNUVwTgSluLV8+rfibJ4G8Jxxk+X0o4C4HMirof:mdpxlYxYUwgssZfA4G8JxxGF
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ModiLoader Second Stage
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderevasionpersistencetrojan

behavioral2

modiloaderevasionpersistencetrojan

© 2018-2024

Terms | Privacy