modiloader | 27c990c2ee6c6957d5c786f689550b4de9c347bbd0199ce912fc3690840dbb2a | Triage

Submit
Reports

Overview

overview

Static

static

27c990c2ee...2a.exe

windows7-x64

27c990c2ee...2a.exe

windows10-2004-x64

Sharing

General

Target

27c990c2ee6c6957d5c786f689550b4de9c347bbd0199ce912fc3690840dbb2a
Size

719KB
Sample

221128-chal5abf81
MD5

464ca089eccd83089522c185e91ac684
SHA1

fdb713bc5374e827cde829fc7e1b668b331a0f71
SHA256

27c990c2ee6c6957d5c786f689550b4de9c347bbd0199ce912fc3690840dbb2a
SHA512

464d34be801692530ffac2c3af1f9e029fe711bf63352fe9a6d3472b5d8ff57417178397230b29f7f8cbcb993fdaa9d35c28235ce4e314427b2917cf990e88fb
SSDEEP

12288:6XgPVmsO7H+JeYkZQors8sEyMGXxe2lX4EEPSwDfAmgBJbf8AwnBrRm8dZ/X:AoZ3J78GTX4bEmCb+rRvZ/X

Score

10^/10

modiloader bootkit evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

27c990c2ee6c6957d5c786f689550b4de9c347bbd0199ce912fc3690840dbb2a.exe

Resource

win7-20220901-en

modiloader bootkit evasion persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

27c990c2ee6c6957d5c786f689550b4de9c347bbd0199ce912fc3690840dbb2a.exe

Resource

win10v2004-20220812-en

modiloader bootkit persistence trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  27c990c2ee6c6957d5c786f689550b4de9c347bbd0199ce912fc3690840dbb2a
- Size
  
  719KB
- MD5
  
  464ca089eccd83089522c185e91ac684
- SHA1
  
  fdb713bc5374e827cde829fc7e1b668b331a0f71
- SHA256
  
  27c990c2ee6c6957d5c786f689550b4de9c347bbd0199ce912fc3690840dbb2a
- SHA512
  
  464d34be801692530ffac2c3af1f9e029fe711bf63352fe9a6d3472b5d8ff57417178397230b29f7f8cbcb993fdaa9d35c28235ce4e314427b2917cf990e88fb
- SSDEEP
  
  12288:6XgPVmsO7H+JeYkZQors8sEyMGXxe2lX4EEPSwDfAmgBJbf8AwnBrRm8dZ/X:AoZ3J78GTX4bEmCb+rRvZ/X
Score

10^/10

modiloader bootkit evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies visiblity of hidden/system files in Explorer
  evasion
- ModiLoader Second Stage
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderbootkitevasionpersistencetrojan

behavioral2

modiloaderbootkitpersistencetrojan

© 2018-2024

Terms | Privacy