modiloader | 814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b

General

Target

814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
Size

713KB
MD5

f5b1d8b16a3230c5eae40dcf62408361
SHA1

2ee879314a8fa9336ecf4ac99a026f69730d8fdb
SHA256

814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b
SHA512

54c19a7636479bdb00d903733d3763103c20ad8b214d69e5c6772f4b25416170617d9206a6c07e7b19aa7d6724a79adef567e95713e5f13c8dfd0bba1e72f7d0
SSDEEP

12288:cc//////v200rxnmYWIzFtcxJOYUrh5mqiPgnC47kDETabEb/QWr:cc//////v2Vdm8zQxFUrh5mqiPgnCCkk

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1080-56-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/1080-57-0x0000000000499790-mapping.dmp	modiloader_stage2
behavioral1/memory/1080-58-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/1080-60-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/1080-61-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/1080-66-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 2 IoCs

Processes:

814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe

description	pid	process	target process
PID 2016 set thread context of 1080	2016	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
PID 1080 set thread context of 1880	1080	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	mstsc.exe

Drops file in Program Files directory 1 IoCs

Processes:

814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe

description	pid	process	target process
PID 2016 wrote to memory of 1080	2016	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
PID 2016 wrote to memory of 1080	2016	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
PID 2016 wrote to memory of 1080	2016	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
PID 2016 wrote to memory of 1080	2016	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
PID 2016 wrote to memory of 1080	2016	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
PID 2016 wrote to memory of 1080	2016	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
PID 1080 wrote to memory of 1880	1080	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	mstsc.exe
PID 1080 wrote to memory of 1880	1080	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	mstsc.exe
PID 1080 wrote to memory of 1880	1080	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	mstsc.exe
PID 1080 wrote to memory of 1880	1080	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	mstsc.exe
PID 1080 wrote to memory of 1880	1080	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	mstsc.exe
PID 1080 wrote to memory of 1880	1080	814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe	mstsc.exe

C:\Users\Admin\AppData\Local\Temp\814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
"C:\Users\Admin\AppData\Local\Temp\814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
C:\Users\Admin\AppData\Local\Temp\814f2497c7a514aa10050928e740deb2b7d167579115332815586dba525ec01b.exe
2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\system32\mstsc.exe"
3⤵
PID:1880

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-54-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1080-56-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1080-57-0x0000000000499790-mapping.dmp

Download
memory/1080-58-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1080-59-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1080-60-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1080-61-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1080-66-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1880-62-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1880-64-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1880-65-0x0000000000404E60-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads