modiloader | f27a8d540cbeed2777c6fb0037ada80af9ec35fd984c8f9ee339851495294c72 | Triage

Submit
Reports

Overview

overview

Static

static

f27a8d540c...72.exe

windows7-x64

f27a8d540c...72.exe

windows10-2004-x64

Sharing

General

Target

f27a8d540cbeed2777c6fb0037ada80af9ec35fd984c8f9ee339851495294c72
Size

441KB
Sample

221126-y2zw1seh5v
MD5

13a63279006c3932aeaf7f637cd3d470
SHA1

4b5f5b00ea6151be1159bdf1361db9f4daac2f71
SHA256

f27a8d540cbeed2777c6fb0037ada80af9ec35fd984c8f9ee339851495294c72
SHA512

b596ef9356dfcadf3c73ab739846070789e16a543ea746a860398ca3e172e63b7b66897f1991b5e103faec56587057b470492b642adcfeb8a2c05eb8c8b4a7bf
SSDEEP

12288:yixPCbySuTiNNwHDR+oO0c6R7rQrCHEBVQy15m:VSQiz/oO50rmCkPm

Score

10^/10

modiloader evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

f27a8d540cbeed2777c6fb0037ada80af9ec35fd984c8f9ee339851495294c72.exe

Resource

win7-20221111-en

modiloader evasion persistence trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

f27a8d540cbeed2777c6fb0037ada80af9ec35fd984c8f9ee339851495294c72.exe

Resource

win10v2004-20220812-en

modiloader evasion persistence trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  f27a8d540cbeed2777c6fb0037ada80af9ec35fd984c8f9ee339851495294c72
- Size
  
  441KB
- MD5
  
  13a63279006c3932aeaf7f637cd3d470
- SHA1
  
  4b5f5b00ea6151be1159bdf1361db9f4daac2f71
- SHA256
  
  f27a8d540cbeed2777c6fb0037ada80af9ec35fd984c8f9ee339851495294c72
- SHA512
  
  b596ef9356dfcadf3c73ab739846070789e16a543ea746a860398ca3e172e63b7b66897f1991b5e103faec56587057b470492b642adcfeb8a2c05eb8c8b4a7bf
- SSDEEP
  
  12288:yixPCbySuTiNNwHDR+oO0c6R7rQrCHEBVQy15m:VSQiz/oO50rmCkPm
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Software Discovery

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderevasionpersistencetrojan

behavioral2

modiloaderevasionpersistencetrojan

© 2018-2024

Terms | Privacy