modiloader | 11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3 | Triage

Submit
Reports

Overview

overview

Static

static

11fa8c214c...e3.exe

windows7-x64

11fa8c214c...e3.exe

windows10-2004-x64

Sharing

General

Target

11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3
Size

262KB
Sample

221126-ap3kdahd57
MD5

c0dc5f2788fd095f1a6b3a059ef14e6b
SHA1

eaa429ee7b7d5caca8f824882e5d8e1c952dfd5a
SHA256

11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3
SHA512

3e03358418cc8a423c4e9d81fbd9d6ba377e5b18067b76d0e713ae9769b525cd60e10d7f4003415c7c1ee0f3e22dc433392b02bb7d62d9cf0cbc44f1ab09ac69
SSDEEP

6144:FnG58+jlN3XfqPUHdpLQ5ohF+HhzVTk2Fvbm7zOtO4gpLn3:FA8+jXnwUH/Qomhp0qU4g1

Score

10^/10

modiloader evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe

Resource

win7-20220812-en

modiloader evasion persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3.exe

Resource

win10v2004-20220812-en

modiloader evasion persistence trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3
- Size
  
  262KB
- MD5
  
  c0dc5f2788fd095f1a6b3a059ef14e6b
- SHA1
  
  eaa429ee7b7d5caca8f824882e5d8e1c952dfd5a
- SHA256
  
  11fa8c214c7040031c82ca98b6c6c2da7286d5179443a11fc469cd8c4581a5e3
- SHA512
  
  3e03358418cc8a423c4e9d81fbd9d6ba377e5b18067b76d0e713ae9769b525cd60e10d7f4003415c7c1ee0f3e22dc433392b02bb7d62d9cf0cbc44f1ab09ac69
- SSDEEP
  
  6144:FnG58+jlN3XfqPUHdpLQ5ohF+HhzVTk2Fvbm7zOtO4gpLn3:FA8+jXnwUH/Qomhp0qU4g1
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Disables use of System Restore points
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

modiloaderevasionpersistencetrojan

behavioral2

modiloaderevasionpersistencetrojan

© 2018-2024

Terms | Privacy