modiloader | f983cdcb52e6144ba8a87fb6f8904f39d3626be45c1725bdb89a2522525f3a9b

Analysis

max time kernel
131s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/05/2023, 13:17

Target

Invoice.exe
Size

792KB
MD5

f67ab8557bf377cb8075aa19c1be2830
SHA1

79cfebdbfcdfe57c64af0891046a6af1ce5c208a
SHA256

f983cdcb52e6144ba8a87fb6f8904f39d3626be45c1725bdb89a2522525f3a9b
SHA512

d8cd20edd78a12ed10d9e5e1ac91b592696a80aec325eb1d69c4fd01de6c81aa4f8905a0b69b2d09ccb81c05e4f60454a83ebbca4703e0176ec4e73b9a040e4e
SSDEEP

12288:vX44VFiwL9aDSm20iw+hm4m7YHDcbhT4EbLGHrn1XAjQzB/PD:vpzH9aDSm2A+hmD6c9T4EvGHr1QE9/P

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/840-54-0x00000000002D0000-0x0000000000301000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	840	WerFault.exe	27

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1636	840	Invoice.exe	28
PID 840 wrote to memory of 1636	840	Invoice.exe	28
PID 840 wrote to memory of 1636	840	Invoice.exe	28
PID 840 wrote to memory of 1636	840	Invoice.exe	28

C:\Users\Admin\AppData\Local\Temp\Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 700
  2⤵
  - Program crash
  PID:1636

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
memory/840-54-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/840-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/840-57-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download