modiloader | a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6

Analysis

max time kernel
62s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
Size

1023KB
MD5

7163a7c79159c177965e39a0a2aa9d84
SHA1

387cd1ce9cbd41813ca6a3d3539dd954d62d88f7
SHA256

a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6
SHA512

0d75d7234c8f2a62da62dfa36966e059e81472eb37046321139ba9e428d3c046155ba3ad3dab3a06f327860b4c59f1de01a2c150bcbfb47cf0e41ea6807db6a7
SSDEEP

24576:HoK9U9Z5Y4+YSembcj3jtpTm7bUDWzPuNML851cM9wAYJWIi:HoQU9Z5Y4+YSembcj3jjTcDuNML851c6

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1216-54-0x0000000000010000-0x0000000000111000-memory.dmp	modiloader_stage2
behavioral1/memory/1216-66-0x0000000000010000-0x0000000000111000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

Processes:

a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe

description	pid	process	target process
PID 1216 set thread context of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe

pid process

524 a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe

pid	process
524	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe

description	pid	process	target process
PID 1216 wrote to memory of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 1216 wrote to memory of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 1216 wrote to memory of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 1216 wrote to memory of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 1216 wrote to memory of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 1216 wrote to memory of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 1216 wrote to memory of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 1216 wrote to memory of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 1216 wrote to memory of 524	1216	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe

C:\Users\Admin\AppData\Local\Temp\a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
"C:\Users\Admin\AppData\Local\Temp\a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
C:\Users\Admin\AppData\Local\Temp\a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
2⤵
- Suspicious use of UnmapMainImage
PID:524

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/524-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/524-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/524-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/524-65-0x000000000040166C-mapping.dmp

Download
memory/1216-54-0x0000000000010000-0x0000000000111000-memory.dmp

Filesize
1.0MB

Download
memory/1216-66-0x0000000000010000-0x0000000000111000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads