modiloader | 80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f

General

Target

80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
Size

1.3MB
MD5

3ac7016163826d663ca503d5cf0c8c1c
SHA1

e456722238c1aba734f54ed1ac5fd2232ffb1984
SHA256

80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f
SHA512

51350f49f7eea73787e9166973cf7a926be2642e23ad26f137e42207da46485aeeff3f6b4c4f867f0cc9fd3b42ad61c0230f960bc6fcd24edccfcef4e54edb5f
SSDEEP

24576:/2c//////2TtYBXGGRyVgZnetZ4RMPw+ntcDzI+t01WF/L5:ec//////Ae5G6yVgZetEmJtcotsD

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2728-133-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2
behavioral2/memory/2728-134-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2
behavioral2/memory/2728-135-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2
behavioral2/memory/2728-136-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2
behavioral2/memory/2728-137-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2
behavioral2/memory/2728-138-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2
behavioral2/memory/4972-147-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2
behavioral2/memory/4972-148-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2
behavioral2/memory/2728-149-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2
behavioral2/memory/4972-150-0x0000000000400000-0x0000000000506000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

Safari.exeSafari.exe

pid process

4436 Safari.exe
4972 Safari.exe

pid	process
4436	Safari.exe
4972	Safari.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exeSafari.exe

description	pid	process	target process
PID 4532 set thread context of 2728	4532	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
PID 4436 set thread context of 4972	4436	Safari.exe	Safari.exe

Drops file in Program Files directory 2 IoCs

Processes:

80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe

description	ioc	process
File created	C:\PROGRA~1\Safari.exe	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
File opened for modification	C:\PROGRA~1\Safari.exe	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exeSafari.exe

description	pid	process	target process
PID 4532 wrote to memory of 2728	4532	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
PID 4532 wrote to memory of 2728	4532	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
PID 4532 wrote to memory of 2728	4532	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
PID 4532 wrote to memory of 2728	4532	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
PID 4532 wrote to memory of 2728	4532	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
PID 2728 wrote to memory of 4436	2728	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe	Safari.exe
PID 2728 wrote to memory of 4436	2728	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe	Safari.exe
PID 2728 wrote to memory of 4436	2728	80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe	Safari.exe
PID 4436 wrote to memory of 4972	4436	Safari.exe	Safari.exe
PID 4436 wrote to memory of 4972	4436	Safari.exe	Safari.exe
PID 4436 wrote to memory of 4972	4436	Safari.exe	Safari.exe
PID 4436 wrote to memory of 4972	4436	Safari.exe	Safari.exe
PID 4436 wrote to memory of 4972	4436	Safari.exe	Safari.exe

C:\Users\Admin\AppData\Local\Temp\80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
"C:\Users\Admin\AppData\Local\Temp\80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
C:\Users\Admin\AppData\Local\Temp\80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f.exe
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2728

C:\PROGRA~1\Safari.exe
C:\PROGRA~1\Safari.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436

C:\PROGRA~1\Safari.exe
C:\PROGRA~1\Safari.exe
4⤵
- Executes dropped EXE
PID:4972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Safari.exe
Filesize
1.3MB

MD5
3ac7016163826d663ca503d5cf0c8c1c

SHA1
e456722238c1aba734f54ed1ac5fd2232ffb1984

SHA256
80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f

SHA512
51350f49f7eea73787e9166973cf7a926be2642e23ad26f137e42207da46485aeeff3f6b4c4f867f0cc9fd3b42ad61c0230f960bc6fcd24edccfcef4e54edb5f

Download Submit
C:\Program Files\Safari.exe
Filesize
1.3MB

MD5
3ac7016163826d663ca503d5cf0c8c1c

SHA1
e456722238c1aba734f54ed1ac5fd2232ffb1984

SHA256
80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f

SHA512
51350f49f7eea73787e9166973cf7a926be2642e23ad26f137e42207da46485aeeff3f6b4c4f867f0cc9fd3b42ad61c0230f960bc6fcd24edccfcef4e54edb5f

Download Submit
C:\Program Files\Safari.exe
Filesize
1.3MB

MD5
3ac7016163826d663ca503d5cf0c8c1c

SHA1
e456722238c1aba734f54ed1ac5fd2232ffb1984

SHA256
80a90fe9b85528f18939cdf26f5bc511547bb5fcecf533bdcbe050d6ebbfb03f

SHA512
51350f49f7eea73787e9166973cf7a926be2642e23ad26f137e42207da46485aeeff3f6b4c4f867f0cc9fd3b42ad61c0230f960bc6fcd24edccfcef4e54edb5f

Download Submit
memory/2728-133-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2728-134-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2728-135-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2728-136-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2728-137-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2728-138-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2728-132-0x0000000000000000-mapping.dmp

Download
memory/2728-149-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/4436-139-0x0000000000000000-mapping.dmp

Download
memory/4972-147-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/4972-148-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/4972-142-0x0000000000000000-mapping.dmp

Download
memory/4972-150-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads