modiloader | b6a0458cdf737e39a1d73dd5479efbb519acf6aa537f5c2b00961c095528c77f | Triage

Submit
Reports

Overview

overview

Static

static

b6a0458cdf...7f.exe

windows7-x64

b6a0458cdf...7f.exe

windows10-2004-x64

Sharing

General

Target

b6a0458cdf737e39a1d73dd5479efbb519acf6aa537f5c2b00961c095528c77f
Size

383KB
Sample

221124-nfqfcadf5x
MD5

47979ea88b490979d1014aabc70dd62d
SHA1

e0008eb51583f3adf6c03410359cab9c8a31b43f
SHA256

b6a0458cdf737e39a1d73dd5479efbb519acf6aa537f5c2b00961c095528c77f
SHA512

07c0f60242881e39b2fc3adf4f21e07b8a6bd9e51617ae04cb4174f5a2da1e5b3602166f5d5f74805fc762c73ec743915113dafadabd95ac30b1032f82d9e384
SSDEEP

6144:F2p66UIY1KvS9LMwJTv5m6kc8xJ7PRvcUrYPwg6WZCTdRYkPMMmTEoM:gp66ULQvSNMMTvnkc8xdPRvX4ZCTdRYw

Score

10^/10

modiloader evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

b6a0458cdf737e39a1d73dd5479efbb519acf6aa537f5c2b00961c095528c77f.exe

Resource

win7-20220812-en

modiloader evasion persistence trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

b6a0458cdf737e39a1d73dd5479efbb519acf6aa537f5c2b00961c095528c77f.exe

Resource

win10v2004-20220812-en

modiloader evasion persistence trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  b6a0458cdf737e39a1d73dd5479efbb519acf6aa537f5c2b00961c095528c77f
- Size
  
  383KB
- MD5
  
  47979ea88b490979d1014aabc70dd62d
- SHA1
  
  e0008eb51583f3adf6c03410359cab9c8a31b43f
- SHA256
  
  b6a0458cdf737e39a1d73dd5479efbb519acf6aa537f5c2b00961c095528c77f
- SHA512
  
  07c0f60242881e39b2fc3adf4f21e07b8a6bd9e51617ae04cb4174f5a2da1e5b3602166f5d5f74805fc762c73ec743915113dafadabd95ac30b1032f82d9e384
- SSDEEP
  
  6144:F2p66UIY1KvS9LMwJTv5m6kc8xJ7PRvcUrYPwg6WZCTdRYkPMMmTEoM:gp66ULQvSNMMTvnkc8xdPRvX4ZCTdRYw
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Disables use of System Restore points
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

modiloaderevasionpersistencetrojan

behavioral2

modiloaderevasionpersistencetrojan

© 2018-2024

Terms | Privacy