modiloader | 9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 17:41

Target

9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe
Size

152KB
MD5

e63a875caa7b47511cb52a5371c6aa43
SHA1

6449af87ee80d02f629dc011cd83adbd4c48fc95
SHA256

9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd
SHA512

27ba7a9685c591862fad016a2a52c9b06415feafbea66bac8799168dd2f82a8da5183f48f5839aa67ffc6f9e3f483867f80a64a6af13a3eb0b9d20459954a726
SSDEEP

3072:eLCnfucgnOOS2oKISOm7cn+egnbexRew6JiP0:e3nO6Os7cn+Pqqis

Score

10^/10

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2028-55-0x0000000000010000-0x0000000000037000-memory.dmp	modiloader_stage2
behavioral1/memory/2028-57-0x0000000000010000-0x0000000000037000-memory.dmp	modiloader_stage2
behavioral1/memory/2012-59-0x0000000000010000-0x0000000000037000-memory.dmp	modiloader_stage2

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/2028-55-0x0000000000010000-0x0000000000037000-memory.dmp	upx
behavioral1/memory/2028-57-0x0000000000010000-0x0000000000037000-memory.dmp	upx
behavioral1/memory/2012-59-0x0000000000010000-0x0000000000037000-memory.dmp	upx

Suspicious behavior: RenamesItself 2 IoCs

Processes:

9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exeapocalyps32.exe

pid process

2028 9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe
2012 apocalyps32.exe

pid	process
2028	9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe
2012	apocalyps32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exeapocalyps32.exe

description	pid	process	target process
PID 2028 wrote to memory of 2012	2028	9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe	apocalyps32.exe
PID 2028 wrote to memory of 2012	2028	9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe	apocalyps32.exe
PID 2028 wrote to memory of 2012	2028	9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe	apocalyps32.exe
PID 2028 wrote to memory of 2012	2028	9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe	apocalyps32.exe
PID 2012 wrote to memory of 1620	2012	apocalyps32.exe	iexplore.exe
PID 2012 wrote to memory of 1620	2012	apocalyps32.exe	iexplore.exe
PID 2012 wrote to memory of 1620	2012	apocalyps32.exe	iexplore.exe
PID 2012 wrote to memory of 1620	2012	apocalyps32.exe	iexplore.exe

memory/2012-56-0x0000000000000000-mapping.dmp

Download
memory/2012-59-0x0000000000010000-0x0000000000037000-memory.dmp

Filesize
156KB

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/2028-55-0x0000000000010000-0x0000000000037000-memory.dmp

Filesize
156KB

Download
memory/2028-57-0x0000000000010000-0x0000000000037000-memory.dmp

Filesize
156KB

Download