modiloader | bcb432181d31740986afd9eee4abbdd94c5c5e6a33c548988b223e00957bbee0

Analysis

max time kernel
130s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 14:40

Target

9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe
Size

924KB
MD5

8da3b607defa90b5500db1ee274f68c7
SHA1

cf853ceb8feffb9d3a2ce76cfc9b9e324c7fc9ee
SHA256

9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d
SHA512

375bab9d849f9f5ff0e47b8734372e55ac99eb7f5e2bbab485aa388429ee07c380682184dd75f91f58ae141e0697f64e2c14beb15967e4c9196048b0ded75b6b
SSDEEP

24576:5U5BEEVl6gwiCYi6Wq+VHcvf9eGqRSZqPLX3UHA2I:5U5G6lNxk0ZqPLX3UHA2I

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1344-54-0x0000000000270000-0x000000000029C000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

376 1344 WerFault.exe 9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe

pid	pid_target	process	target process
376	1344	WerFault.exe	9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe

pid	process
1344	9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe
1344	9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe
1344	9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe

description	pid	process	target process
PID 1344 wrote to memory of 376	1344	9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe	WerFault.exe
PID 1344 wrote to memory of 376	1344	9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe	WerFault.exe
PID 1344 wrote to memory of 376	1344	9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe	WerFault.exe
PID 1344 wrote to memory of 376	1344	9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe	WerFault.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 884
2⤵
- Program crash
PID:376

memory/1344-54-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/1344-56-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1344-57-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download