modiloader | f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f

General

Target

f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe
Size

666KB
MD5

e28e575d6e1e65e2434e39d250469c6f
SHA1

55712514751c1962760afe1de6f2744462e7a3a7
SHA256

f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f
SHA512

bee497a3481f3f7c58effe2577e7bff04fabf5da09d8bcecfee3ab52ef486a34cab0c9592e3cb0690e8ba9ceb33e380a662feb265e011bc48c7aafd452e63674
SSDEEP

12288:Ht6tx/yOgijdiFEqh3479pMhHHEjvXpxKv3OKmewzuovubZAYuopTVAcB+OAyDFX:HoPasjddq54RpMH6ZxQOKmewzuovubZI

Score

10^/10

modiloader evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/524-56-0x0000000000010000-0x00000000000BA000-memory.dmp	modiloader_stage2
behavioral1/memory/524-60-0x0000000000010000-0x00000000000BA000-memory.dmp	modiloader_stage2
behavioral1/memory/1828-64-0x0000000000010000-0x00000000000BA000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1828	tset32.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	tset32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
524	f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe
1828	tset32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\tset32.exe	tset32.exe
File created	C:\Windows\tset32.exe	f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe
File opened for modification	C:\Windows\tset32.exe	f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
524	f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe
1828	tset32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 1828	524	f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe	28
PID 524 wrote to memory of 1828	524	f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe	28
PID 524 wrote to memory of 1828	524	f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe	28
PID 524 wrote to memory of 1828	524	f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe	28
PID 1828 wrote to memory of 2036	1828	tset32.exe	29
PID 1828 wrote to memory of 2036	1828	tset32.exe	29
PID 1828 wrote to memory of 2036	1828	tset32.exe	29
PID 1828 wrote to memory of 2036	1828	tset32.exe	29

C:\Users\Admin\AppData\Local\Temp\f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe
"C:\Users\Admin\AppData\Local\Temp\f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\tset32.exe
  -bs
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Program Files\Internet Explorer\iexplore.exe
    -bs
    3⤵
    PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tset32.exe

Filesize
666KB

MD5
e28e575d6e1e65e2434e39d250469c6f

SHA1
55712514751c1962760afe1de6f2744462e7a3a7

SHA256
f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f

SHA512
bee497a3481f3f7c58effe2577e7bff04fabf5da09d8bcecfee3ab52ef486a34cab0c9592e3cb0690e8ba9ceb33e380a662feb265e011bc48c7aafd452e63674

Download Submit
C:\Windows\tset32.exe

Filesize
666KB

MD5
e28e575d6e1e65e2434e39d250469c6f

SHA1
55712514751c1962760afe1de6f2744462e7a3a7

SHA256
f5288c91f7f9b95f69a6e799dcaa1e078f4d563e39651b0ae3c8a614e69e235f

SHA512
bee497a3481f3f7c58effe2577e7bff04fabf5da09d8bcecfee3ab52ef486a34cab0c9592e3cb0690e8ba9ceb33e380a662feb265e011bc48c7aafd452e63674

Download Submit
memory/524-55-0x0000000000010000-0x00000000000BA000-memory.dmp

Filesize
680KB

Download
memory/524-54-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/524-56-0x0000000000010000-0x00000000000BA000-memory.dmp

Filesize
680KB

Download
memory/524-57-0x0000000003E10000-0x0000000003EBA000-memory.dmp

Filesize
680KB

Download
memory/524-60-0x0000000000010000-0x00000000000BA000-memory.dmp

Filesize
680KB

Download
memory/1828-58-0x0000000000000000-mapping.dmp

Download
memory/1828-61-0x0000000000010000-0x00000000000BA000-memory.dmp

Filesize
680KB

Download
memory/1828-64-0x0000000000010000-0x00000000000BA000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads