modiloader | 8862575941918714c1fdf28bee9c6ffd23d00746b1982d1f2d60ad76dceda4ac | Triage

Submit
Reports

Overview

overview

Static

static

8862575941...ac.exe

windows7-x64

8862575941...ac.exe

windows10-2004-x64

Sharing

General

Target

8862575941918714c1fdf28bee9c6ffd23d00746b1982d1f2d60ad76dceda4ac
Size

367KB
Sample

221127-bvtp4adh5x
MD5

be18c769b074b6c33024bacf89b00545
SHA1

3542792f1ceea460c1a152e7d8d2bb98339e49bf
SHA256

8862575941918714c1fdf28bee9c6ffd23d00746b1982d1f2d60ad76dceda4ac
SHA512

5d1f11337e734c75428751dd527f9896561e1043975e0a8c4e23f1b6cee2b056bbadd7dfa3a7af76793023055d2bce14050dfa69f7a94705d89be12c7562c651
SSDEEP

6144:V8CiJn+2dlueiAg4mvZl+i0bsvQYzNtzvMOZ31jppIELz3JgtCJuigau:bi9+2jjRyl+u5znz0e31jbI0JgIo

Score

10^/10

modiloader evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

8862575941918714c1fdf28bee9c6ffd23d00746b1982d1f2d60ad76dceda4ac.exe

Resource

win7-20221111-en

modiloader evasion persistence trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

8862575941918714c1fdf28bee9c6ffd23d00746b1982d1f2d60ad76dceda4ac.exe

Resource

win10v2004-20220812-en

modiloader evasion persistence trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  8862575941918714c1fdf28bee9c6ffd23d00746b1982d1f2d60ad76dceda4ac
- Size
  
  367KB
- MD5
  
  be18c769b074b6c33024bacf89b00545
- SHA1
  
  3542792f1ceea460c1a152e7d8d2bb98339e49bf
- SHA256
  
  8862575941918714c1fdf28bee9c6ffd23d00746b1982d1f2d60ad76dceda4ac
- SHA512
  
  5d1f11337e734c75428751dd527f9896561e1043975e0a8c4e23f1b6cee2b056bbadd7dfa3a7af76793023055d2bce14050dfa69f7a94705d89be12c7562c651
- SSDEEP
  
  6144:V8CiJn+2dlueiAg4mvZl+i0bsvQYzNtzvMOZ31jppIELz3JgtCJuigau:bi9+2jjRyl+u5znz0e31jbI0JgIo
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Software Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderevasionpersistencetrojan

behavioral2

modiloaderevasionpersistencetrojan

© 2018-2024

Terms | Privacy