modiloader | 99bb89c7ca8d437ca93c4ee8ba4522ce6ffdb311cf8c46a4dd828d87a6ab8bd0 | Triage

Submit
Reports

Overview

overview

Static

static

8

99bb89c7ca...d0.exe

windows7-x64

99bb89c7ca...d0.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

99bb89c7ca8d437ca93c4ee8ba4522ce6ffdb311cf8c46a4dd828d87a6ab8bd0
Size

508KB
Sample

221206-vswapagc79
MD5

19fa3ff91a70ebb08f4c8908a641cc26
SHA1

3a05d25ed1627c6232ca626edef26904144b7ceb
SHA256

99bb89c7ca8d437ca93c4ee8ba4522ce6ffdb311cf8c46a4dd828d87a6ab8bd0
SHA512

6988a2f5abc40c9d7a39d39cb125f7d156bf86b2957d17fe655511053d28657892c51e5ef032a3c3919d1bcad88fe46ccadf14acbce4d8d8e0ed2a264c1d8361
SSDEEP

12288:f30gycnV8kJDAAcS7fQWRHcKcO7pskvvy6fZAY7CTi:f0gvneQ85ifDRxTakny6O/T

Score

10^/10

modiloader persistence trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

99bb89c7ca8d437ca93c4ee8ba4522ce6ffdb311cf8c46a4dd828d87a6ab8bd0.exe

Resource

win7-20221111-en

modiloader persistence trojan vmprotect

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

99bb89c7ca8d437ca93c4ee8ba4522ce6ffdb311cf8c46a4dd828d87a6ab8bd0.exe

Resource

win10v2004-20221111-en

modiloader persistence trojan vmprotect

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  99bb89c7ca8d437ca93c4ee8ba4522ce6ffdb311cf8c46a4dd828d87a6ab8bd0
- Size
  
  508KB
- MD5
  
  19fa3ff91a70ebb08f4c8908a641cc26
- SHA1
  
  3a05d25ed1627c6232ca626edef26904144b7ceb
- SHA256
  
  99bb89c7ca8d437ca93c4ee8ba4522ce6ffdb311cf8c46a4dd828d87a6ab8bd0
- SHA512
  
  6988a2f5abc40c9d7a39d39cb125f7d156bf86b2957d17fe655511053d28657892c51e5ef032a3c3919d1bcad88fe46ccadf14acbce4d8d8e0ed2a264c1d8361
- SSDEEP
  
  12288:f30gycnV8kJDAAcS7fQWRHcKcO7pskvvy6fZAY7CTi:f0gvneQ85ifDRxTakny6O/T
Score

10^/10

modiloader persistence trojan vmprotect
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderpersistencetrojanvmprotect

behavioral2

modiloaderpersistencetrojanvmprotect

© 2018-2025

Terms | Privacy