modiloader | c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9

Analysis

max time kernel
176s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 11:43

Target

c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe
Size

656KB
MD5

5b2f0c3be037910958cd30414f3a4c67
SHA1

72ae317ff57206cf5de9a4eaa082be77457864d2
SHA256

c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9
SHA512

8e5745b9b3aaf4b0b4ee5bc0280d1e8c7f1ba07b98cde2b6ff852d66a79d2c106e4b49830e6067b90ba85efa7e81f3184b2f39e506f97d9792d03f330efeb168
SSDEEP

12288:J+ZDnmaru8dD0d11HcjgKZhHXhTmUuJxTA07TVAodHubAV1x8zxUooS:YFnhN05EXZhHXpmU8AoTb1KN

Score

10^/10

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/4660-135-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral2/memory/4660-136-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral2/memory/4660-138-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral2/memory/4660-139-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2
behavioral2/memory/4660-140-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/404-133-0x0000000000400000-0x00000000004C9200-memory.dmp	upx
behavioral2/memory/404-137-0x0000000000400000-0x00000000004C9200-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 404 set thread context of 4660	404	c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe	80

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~1\1986.txt	c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4660	404	c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe	80
PID 404 wrote to memory of 4660	404	c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe	80
PID 404 wrote to memory of 4660	404	c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe	80
PID 404 wrote to memory of 4660	404	c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe	80
PID 404 wrote to memory of 4660	404	c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe	80
PID 4660 wrote to memory of 4664	4660	c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe	81
PID 4660 wrote to memory of 4664	4660	c6e8f3bb94bf4839bdd7d42101c35999259c2668f22efaea666fa87d10bfd0f9.exe	81

memory/404-133-0x0000000000400000-0x00000000004C9200-memory.dmp

Filesize
804KB

Download
memory/404-137-0x0000000000400000-0x00000000004C9200-memory.dmp

Filesize
804KB

Download
memory/4660-135-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4660-136-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4660-138-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4660-139-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4660-140-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download