modiloader | 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22 | Triage

Submit
Reports

Overview

overview

Static

static

627709624a...22.exe

windows7-x64

627709624a...22.exe

windows10-2004-x64

Sharing

General

Target

627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22
Size

121KB
Sample

221128-cv5b9scf7w
MD5

22f898d4a880f2e284bef5f183a05aa2
SHA1

e65b0ba02e551a43f7f1377c6cb12695e6170752
SHA256

627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22
SHA512

c6f12c7c15cc7d11729a643012436463be43af30dbcf2de7cbe201d01e53e84831422909c82e77cdd384d609685401e427c6d55bddaa582f4c453bcad8299e48
SSDEEP

3072:yJJ2ql3+A5+JBJA0U4zZaEY2cVq9ftIwRoGnc1MdfX:yJJ2qJvw6TEY2cVkNyj4X

Score

10^/10

modiloader evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe

Resource

win7-20221111-en

modiloader evasion persistence trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe

Resource

win10v2004-20220812-en

modiloader evasion persistence trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22
- Size
  
  121KB
- MD5
  
  22f898d4a880f2e284bef5f183a05aa2
- SHA1
  
  e65b0ba02e551a43f7f1377c6cb12695e6170752
- SHA256
  
  627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22
- SHA512
  
  c6f12c7c15cc7d11729a643012436463be43af30dbcf2de7cbe201d01e53e84831422909c82e77cdd384d609685401e427c6d55bddaa582f4c453bcad8299e48
- SSDEEP
  
  3072:yJJ2ql3+A5+JBJA0U4zZaEY2cVq9ftIwRoGnc1MdfX:yJJ2qJvw6TEY2cVkNyj4X
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Looks for VirtualBox Guest Additions in registry
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderevasionpersistencetrojan

behavioral2

modiloaderevasionpersistencetrojan

© 2018-2024

Terms | Privacy