modiloader | 06ad3bff2017387a668519a3dbdbb2ede4718ff82986f8d91ed031339734ed4f | Triage

Submit
Reports

Overview

overview

Static

static

06ad3bff20...4f.exe

windows7-x64

06ad3bff20...4f.exe

windows10-2004-x64

Sharing

General

Target

06ad3bff2017387a668519a3dbdbb2ede4718ff82986f8d91ed031339734ed4f
Size

262KB
Sample

221126-ascs5acf7x
MD5

a9d003bcc478b51e5b644562504de9ef
SHA1

62d24db8ad0ea52c2337acf819c4c17fdd7fbf84
SHA256

06ad3bff2017387a668519a3dbdbb2ede4718ff82986f8d91ed031339734ed4f
SHA512

a388087df523e32c177d75481be4325f52070b7492ab7bfe15bab940aba1ed8895fd432c4030bee9a8c53bc9f934d4e8f7e142088b60b6cb9005f026969edef1
SSDEEP

6144:ir8o7hD/eIMPs4PR6yLyCl+WixU3UcKO5q:+1D/LJukyLyI+wKx

Score

10^/10

modiloader evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

06ad3bff2017387a668519a3dbdbb2ede4718ff82986f8d91ed031339734ed4f.exe

Resource

win7-20220812-en

modiloader evasion persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

06ad3bff2017387a668519a3dbdbb2ede4718ff82986f8d91ed031339734ed4f.exe

Resource

win10v2004-20221111-en

modiloader evasion persistence trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  06ad3bff2017387a668519a3dbdbb2ede4718ff82986f8d91ed031339734ed4f
- Size
  
  262KB
- MD5
  
  a9d003bcc478b51e5b644562504de9ef
- SHA1
  
  62d24db8ad0ea52c2337acf819c4c17fdd7fbf84
- SHA256
  
  06ad3bff2017387a668519a3dbdbb2ede4718ff82986f8d91ed031339734ed4f
- SHA512
  
  a388087df523e32c177d75481be4325f52070b7492ab7bfe15bab940aba1ed8895fd432c4030bee9a8c53bc9f934d4e8f7e142088b60b6cb9005f026969edef1
- SSDEEP
  
  6144:ir8o7hD/eIMPs4PR6yLyCl+WixU3UcKO5q:+1D/LJukyLyI+wKx
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Disables use of System Restore points
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

modiloaderevasionpersistencetrojan

behavioral2

modiloaderevasionpersistencetrojan

© 2018-2024

Terms | Privacy