modiloader | e7dbd88d9418bbca96ec30cbbcbea00d4bfb8167aa5aea89238bc02515c1c37d | Triage

Submit
Reports

Overview

overview

Static

static

e7dbd88d94...7d.exe

windows7-x64

e7dbd88d94...7d.exe

windows10-2004-x64

Sharing

General

Target

e7dbd88d9418bbca96ec30cbbcbea00d4bfb8167aa5aea89238bc02515c1c37d
Size

369KB
Sample

221125-27z1radh34
MD5

c95c9df728cd99404baab9f421f85a1c
SHA1

92503a94d7581579cffcc18646477d448a8069a6
SHA256

e7dbd88d9418bbca96ec30cbbcbea00d4bfb8167aa5aea89238bc02515c1c37d
SHA512

6e8777c8a70622931e3762d98fdd0d98362ba1f30121e189607069b0fa1f78a28b8baa139d7708d37377dad089d171bdd9f11b83ff17a4077e7bf7e1a2589383
SSDEEP

6144:8pctq7HVo8zQSfzIHmherAqH3qG+CAA3YNufb17JGn:8pgw1oRaEiIRH3jXp3YchFM

Score

10^/10

modiloader evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

e7dbd88d9418bbca96ec30cbbcbea00d4bfb8167aa5aea89238bc02515c1c37d.exe

Resource

win7-20221111-en

modiloader evasion persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

e7dbd88d9418bbca96ec30cbbcbea00d4bfb8167aa5aea89238bc02515c1c37d.exe

Resource

win10v2004-20221111-en

modiloader evasion persistence trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  e7dbd88d9418bbca96ec30cbbcbea00d4bfb8167aa5aea89238bc02515c1c37d
- Size
  
  369KB
- MD5
  
  c95c9df728cd99404baab9f421f85a1c
- SHA1
  
  92503a94d7581579cffcc18646477d448a8069a6
- SHA256
  
  e7dbd88d9418bbca96ec30cbbcbea00d4bfb8167aa5aea89238bc02515c1c37d
- SHA512
  
  6e8777c8a70622931e3762d98fdd0d98362ba1f30121e189607069b0fa1f78a28b8baa139d7708d37377dad089d171bdd9f11b83ff17a4077e7bf7e1a2589383
- SSDEEP
  
  6144:8pctq7HVo8zQSfzIHmherAqH3qG+CAA3YNufb17JGn:8pgw1oRaEiIRH3jXp3YchFM
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Disables use of System Restore points
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

modiloaderevasionpersistencetrojan

behavioral2

modiloaderevasionpersistencetrojan

© 2018-2024

Terms | Privacy