modiloader | c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4

Analysis

max time kernel
40s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 06:25

Target

c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe
Size

1.2MB
MD5

4f8a6a9948261cc7fdb18f280da46a5a
SHA1

cba25695bc236bf64a7eb13d975b45d213ac5d8b
SHA256

c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4
SHA512

202ac4721601064a7ac72d348ca8515cfca33ee403b7ed6198ac324cb5b79efe165dc79603dd22b947b7c671c72df50254f7867ed182e5e22e797cf44045ed33
SSDEEP

24576:KujKSQ45uYod8eRxIuoh5qkEr8WsdFKe4Tt9nD:R2SXSuMauoh5qkErbsab9n

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2004-58-0x0000000020000000-0x000000002014D000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 824	2004	c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2004	c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 824	2004	c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe	28
PID 2004 wrote to memory of 824	2004	c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe	28
PID 2004 wrote to memory of 824	2004	c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe	28
PID 2004 wrote to memory of 824	2004	c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe	28
PID 2004 wrote to memory of 824	2004	c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe	28
PID 2004 wrote to memory of 824	2004	c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe	28

C:\Users\Admin\AppData\Local\Temp\c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe
"C:\Users\Admin\AppData\Local\Temp\c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe
  C:\Users\Admin\AppData\Local\Temp\c5b24fdaa261048ca966b353ca0d2899b48fdf4e2dc4d3e4f366956254a0b8b4.exe
  2⤵
  PID:824

memory/824-55-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/824-57-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2004-54-0x0000000000270000-0x000000000035F000-memory.dmp

Filesize
956KB

Download
memory/2004-58-0x0000000020000000-0x000000002014D000-memory.dmp

Filesize
1.3MB

Download