modiloader | a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6

Analysis

max time kernel
163s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 20:32

Target

a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
Size

1023KB
MD5

7163a7c79159c177965e39a0a2aa9d84
SHA1

387cd1ce9cbd41813ca6a3d3539dd954d62d88f7
SHA256

a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6
SHA512

0d75d7234c8f2a62da62dfa36966e059e81472eb37046321139ba9e428d3c046155ba3ad3dab3a06f327860b4c59f1de01a2c150bcbfb47cf0e41ea6807db6a7
SSDEEP

24576:HoK9U9Z5Y4+YSembcj3jtpTm7bUDWzPuNML851cM9wAYJWIi:HoQU9Z5Y4+YSembcj3jjTcDuNML851c6

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4372-132-0x0000000000010000-0x0000000000111000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-133-0x0000000000010000-0x0000000000111000-memory.dmp	modiloader_stage2
behavioral2/memory/4372-135-0x0000000000010000-0x0000000000111000-memory.dmp	modiloader_stage2

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe

description	pid	process	target process
PID 4372 wrote to memory of 1568	4372	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 4372 wrote to memory of 1568	4372	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
PID 4372 wrote to memory of 1568	4372	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe	a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe

C:\Users\Admin\AppData\Local\Temp\a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
"C:\Users\Admin\AppData\Local\Temp\a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Users\Admin\AppData\Local\Temp\a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
C:\Users\Admin\AppData\Local\Temp\a3e1f20506208597076bf594445399df87de1579b525690f29ac8b1f714b8cc6.exe
2⤵
PID:1568

memory/1568-134-0x0000000000000000-mapping.dmp

Download
memory/4372-132-0x0000000000010000-0x0000000000111000-memory.dmp

Filesize
1.0MB

Download
memory/4372-133-0x0000000000010000-0x0000000000111000-memory.dmp

Filesize
1.0MB

Download
memory/4372-135-0x0000000000010000-0x0000000000111000-memory.dmp

Filesize
1.0MB

Download