modiloader | f830d563a9f22f775fb8bf3af3b5cdd9f5884558e58cee634463aa5c6f82718b

Analysis

max time kernel
202s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 17:31

Target

f830d563a9f22f775fb8bf3af3b5cdd9f5884558e58cee634463aa5c6f82718b.exe
Size

729KB
MD5

649c677a84242f2269c0536de13103bd
SHA1

c4b9334d6a5c017847381cb34baf2dd508c97159
SHA256

f830d563a9f22f775fb8bf3af3b5cdd9f5884558e58cee634463aa5c6f82718b
SHA512

6180434e2c987d5b6aebeeb8b6f013b9b8f56a3aa04ce91e6e35da410a97ba1086862af198e4998d1efb18e9169654201ca1044e669f1a185b7045964bd7b899
SSDEEP

12288:Z82FAFW7DiL45bHUJctgMOdA1OKrnWEwh4Sz26MmVXjMd2nPmJgunfgwd55:O2AiDiLkbZqMj1OwWE0zoIPmPfgi5

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral2/memory/308-136-0x0000000000400000-0x0000000000578000-memory.dmp	modiloader_stage2
behavioral2/memory/308-134-0x0000000000400000-0x0000000000578000-memory.dmp	modiloader_stage2
behavioral2/memory/308-138-0x0000000000400000-0x0000000000578000-memory.dmp	modiloader_stage2
behavioral2/memory/308-139-0x0000000000400000-0x0000000000578000-memory.dmp	modiloader_stage2
behavioral2/memory/308-140-0x0000000000400000-0x0000000000578000-memory.dmp	modiloader_stage2
behavioral2/memory/308-141-0x0000000000400000-0x0000000000578000-memory.dmp	modiloader_stage2

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	f830d563a9f22f775fb8bf3af3b5cdd9f5884558e58cee634463aa5c6f82718b.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 4556	308	f830d563a9f22f775fb8bf3af3b5cdd9f5884558e58cee634463aa5c6f82718b.exe	82
PID 308 wrote to memory of 4556	308	f830d563a9f22f775fb8bf3af3b5cdd9f5884558e58cee634463aa5c6f82718b.exe	82

C:\Users\Admin\AppData\Local\Temp\f830d563a9f22f775fb8bf3af3b5cdd9f5884558e58cee634463aa5c6f82718b.exe
"C:\Users\Admin\AppData\Local\Temp\f830d563a9f22f775fb8bf3af3b5cdd9f5884558e58cee634463aa5c6f82718b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:308
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  PID:4556

memory/308-132-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/308-133-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/308-136-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/308-134-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/308-135-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/308-138-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/308-139-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/308-140-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/308-141-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download