modiloader | eb9fc3569f0d54f3d2fe243c68864a465e779b05857fb435bcca83b54db53bc6

Analysis

max time kernel
131s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/05/2023, 01:18

Target

092726376263728.DOC.exe
Size

798KB
MD5

fc317530c3a698867861a965caa34bad
SHA1

2700a38ef604d78793da302664afc7d27bbb0b1c
SHA256

9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320
SHA512

f01c04b08d76f7eef6426a129dc39ea1ab60d99c52804b999b4b89c53d6d83f0ad17db311186f899f4924a5bdd38577ef8d803ae909ff700ccb68c66511d3db9
SSDEEP

12288:TNLhcjoS4FC7ITh3IBPmOt50Pbkttml53kbXJ2zlLj0:T9hcsFCMTaFCKIsbZ2h

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2032-54-0x0000000000660000-0x0000000000691000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1976	2032	WerFault.exe	26

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1976	2032	092726376263728.DOC.exe	27
PID 2032 wrote to memory of 1976	2032	092726376263728.DOC.exe	27
PID 2032 wrote to memory of 1976	2032	092726376263728.DOC.exe	27
PID 2032 wrote to memory of 1976	2032	092726376263728.DOC.exe	27

C:\Users\Admin\AppData\Local\Temp\092726376263728.DOC.exe
"C:\Users\Admin\AppData\Local\Temp\092726376263728.DOC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 684
  2⤵
  - Program crash
  PID:1976

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
memory/2032-54-0x0000000000660000-0x0000000000691000-memory.dmp

Filesize
196KB

Download
memory/2032-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2032-57-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download