modiloader | db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542

General

Target

db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe
Size

392KB
MD5

af2128552eabd4babb6a1c62009b37ae
SHA1

d76b5565dd06a9311da0341b24b2727b99fbf90b
SHA256

db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542
SHA512

77d62dd522080df9494603be6b185809c971075defc424ace5a15cc3afacd02496d88201a63331336fa64a208b4b5e937c5fe38e49a02602ab9d45ccd82b80c5
SSDEEP

6144:/+cdsMVwuY52sBtk7o/8RLzhcc1TBMmUtVmfjaROH0iva2ta6P96AF48kx71qwxM:c2akcQRh17UtQfmExaYHPg4QxpxM

Score

10^/10

modiloader aspackv2 trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp	modiloader_stage2
\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp	modiloader_stage2

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

pzpB6A3.tmp

pid process

1272 pzpB6A3.tmp

pid	process
1272	pzpB6A3.tmp

Loads dropped DLL 2 IoCs

Processes:

db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe

pid	process
1740	db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe
1740	db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe

Drops file in Program Files directory 1 IoCs

Processes:

pzpB6A3.tmp

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt pzpB6A3.tmp
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe

pid process

1740 db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	pzpB6A3.tmp

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exepzpB6A3.tmp

description	pid	process	target process
PID 1740 wrote to memory of 1272	1740	db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe	pzpB6A3.tmp
PID 1740 wrote to memory of 1272	1740	db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe	pzpB6A3.tmp
PID 1740 wrote to memory of 1272	1740	db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe	pzpB6A3.tmp
PID 1740 wrote to memory of 1272	1740	db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe	pzpB6A3.tmp
PID 1272 wrote to memory of 524	1272	pzpB6A3.tmp	IEXPLORE.EXE
PID 1272 wrote to memory of 524	1272	pzpB6A3.tmp	IEXPLORE.EXE
PID 1272 wrote to memory of 524	1272	pzpB6A3.tmp	IEXPLORE.EXE
PID 1272 wrote to memory of 524	1272	pzpB6A3.tmp	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe
"C:\Users\Admin\AppData\Local\Temp\db7a94ad447367b7fe433e96a695e28f673732b085661e386ce064165e5f5542.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp
"C:\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1272

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:524

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp
Filesize
701KB

MD5
768d8511d9a1cd217c08c2b0ffeb9773

SHA1
848aa94346f2b858133ed6b829306fbf8cf775da

SHA256
107e51d694d43ae46b183e0165ec5499a2764cd24be5a98f6e5cf0d5caf4d05c

SHA512
7ebf11b66fd44cbe9f2fb6702a349013d7e72e51e92ca0458eabd627c4ca62467d3cc11a834baae02ed044b390ca5f038e2a1cd88687c633ad40f96b7218a451

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp
Filesize
701KB

MD5
768d8511d9a1cd217c08c2b0ffeb9773

SHA1
848aa94346f2b858133ed6b829306fbf8cf775da

SHA256
107e51d694d43ae46b183e0165ec5499a2764cd24be5a98f6e5cf0d5caf4d05c

SHA512
7ebf11b66fd44cbe9f2fb6702a349013d7e72e51e92ca0458eabd627c4ca62467d3cc11a834baae02ed044b390ca5f038e2a1cd88687c633ad40f96b7218a451

Download Submit
\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp
Filesize
701KB

MD5
768d8511d9a1cd217c08c2b0ffeb9773

SHA1
848aa94346f2b858133ed6b829306fbf8cf775da

SHA256
107e51d694d43ae46b183e0165ec5499a2764cd24be5a98f6e5cf0d5caf4d05c

SHA512
7ebf11b66fd44cbe9f2fb6702a349013d7e72e51e92ca0458eabd627c4ca62467d3cc11a834baae02ed044b390ca5f038e2a1cd88687c633ad40f96b7218a451

Download Submit
\Users\Admin\AppData\Local\Temp\pzpB6A3.tmp
Filesize
701KB

MD5
768d8511d9a1cd217c08c2b0ffeb9773

SHA1
848aa94346f2b858133ed6b829306fbf8cf775da

SHA256
107e51d694d43ae46b183e0165ec5499a2764cd24be5a98f6e5cf0d5caf4d05c

SHA512
7ebf11b66fd44cbe9f2fb6702a349013d7e72e51e92ca0458eabd627c4ca62467d3cc11a834baae02ed044b390ca5f038e2a1cd88687c633ad40f96b7218a451

Download Submit
memory/1272-56-0x0000000000000000-mapping.dmp

Download
memory/1272-58-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads