modiloader | b79b20c44857f5d00ebc2e4be8226a7f23460a25eaad85023127af6a09c48980

Resubmissions

03-01-2023 10:26

30-12-2022 15:20

max time kernel
45s
max time network
140s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-12-2022 15:20

Target

e680554fa3ec812160ea4fe8bbcafeac.exe
Size

5.2MB
MD5

e680554fa3ec812160ea4fe8bbcafeac
SHA1

d5b2d9f227a419d60af8c93fd890e1858682055f
SHA256

b79b20c44857f5d00ebc2e4be8226a7f23460a25eaad85023127af6a09c48980
SHA512

680559a7d3eab6a45a76d87e3ed393b7247b43a2556786c4bd180b61104cf337da58d8206f0111a916e0df12554eaada5aa99a3b9abc6a59574591785f59a340
SSDEEP

98304:TdVwc5vJ8o/UUhsAn32ennaMjUckirsnS/PpJhanPiO+XtkF9xBf7m1709ooMDP:xVVvJxFjnmeaMjUckiYcBCnPiOemF9xG

Score

10^/10

Family

systembc

oversizetights.com:4246

myprettysocks.com:4246

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1600-56-0x0000000010000000-0x00000000110D9000-memory.dmp	modiloader_stage2
behavioral1/memory/1600-60-0x0000000010000000-0x00000000110D9000-memory.dmp	modiloader_stage2
behavioral1/memory/1600-65-0x0000000010000000-0x00000000110D9000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

Processes:

e680554fa3ec812160ea4fe8bbcafeac.exe

description pid process target process

PID 1600 set thread context of 1596 1600 e680554fa3ec812160ea4fe8bbcafeac.exe e680554fa3ec812160ea4fe8bbcafeac.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e680554fa3ec812160ea4fe8bbcafeac.exe

pid process

1600 e680554fa3ec812160ea4fe8bbcafeac.exe

description	pid	process	target process
PID 1600 set thread context of 1596	1600	e680554fa3ec812160ea4fe8bbcafeac.exe	e680554fa3ec812160ea4fe8bbcafeac.exe

pid	process
1600	e680554fa3ec812160ea4fe8bbcafeac.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e680554fa3ec812160ea4fe8bbcafeac.exe

description	pid	process	target process
PID 1600 wrote to memory of 1596	1600	e680554fa3ec812160ea4fe8bbcafeac.exe	e680554fa3ec812160ea4fe8bbcafeac.exe
PID 1600 wrote to memory of 1596	1600	e680554fa3ec812160ea4fe8bbcafeac.exe	e680554fa3ec812160ea4fe8bbcafeac.exe
PID 1600 wrote to memory of 1596	1600	e680554fa3ec812160ea4fe8bbcafeac.exe	e680554fa3ec812160ea4fe8bbcafeac.exe
PID 1600 wrote to memory of 1596	1600	e680554fa3ec812160ea4fe8bbcafeac.exe	e680554fa3ec812160ea4fe8bbcafeac.exe
PID 1600 wrote to memory of 1596	1600	e680554fa3ec812160ea4fe8bbcafeac.exe	e680554fa3ec812160ea4fe8bbcafeac.exe
PID 1600 wrote to memory of 1596	1600	e680554fa3ec812160ea4fe8bbcafeac.exe	e680554fa3ec812160ea4fe8bbcafeac.exe

C:\Users\Admin\AppData\Local\Temp\e680554fa3ec812160ea4fe8bbcafeac.exe
C:\Users\Admin\AppData\Local\Temp\e680554fa3ec812160ea4fe8bbcafeac.exe
2⤵
PID:1596

memory/1596-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1596-62-0x0000000000401000-mapping.dmp

Download
memory/1596-64-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1596-66-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1596-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1596-67-0x0000000010000000-0x00000000110D9000-memory.dmp

Filesize
16.8MB

Download
memory/1600-54-0x0000000010000000-0x00000000110D9000-memory.dmp

Filesize
16.8MB

Download
memory/1600-55-0x0000000010000000-0x00000000110D9000-memory.dmp

Filesize
16.8MB

Download
memory/1600-56-0x0000000010000000-0x00000000110D9000-memory.dmp

Filesize
16.8MB

Download
memory/1600-60-0x0000000010000000-0x00000000110D9000-memory.dmp

Filesize
16.8MB

Download
memory/1600-65-0x0000000010000000-0x00000000110D9000-memory.dmp

Filesize
16.8MB

Download