modiloader | e399bdc24cb76e8ebdfef7bba94b18031fe0b4fd3664fcad763e77b1e4b2da86

Analysis

max time kernel
130s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-05-2023 02:00

Target

Siparis onayi proforma Fatura.exe
Size

805KB
MD5

dab7cc983ca9542bd96062d675128a57
SHA1

13d832f3e6a884dfee1b05c4fe9ab7f754c8607c
SHA256

e399bdc24cb76e8ebdfef7bba94b18031fe0b4fd3664fcad763e77b1e4b2da86
SHA512

de268296462fe12039fc316b4674b4bc20e4ad4140e198ea5f8fc38d42e7434c8ba4e47b76b5cebad4b692e828a7d0423f1b01ebf7cefbb7abfc52f05f0697e3
SSDEEP

12288:29Id6OrPwqTQAwBTTvY0Z3l9+P/bnqvPPOmWnADUcHjNEU:29XyTFwtTpZ1E32POM7m

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-54-0x0000000001FE0000-0x0000000002012000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1864 2032 WerFault.exe Siparis onayi proforma Fatura.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	pid_target	process	target process
1864	2032	WerFault.exe	Siparis onayi proforma Fatura.exe

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Siparis onayi proforma Fatura.exe

description	pid	process	target process
PID 2032 wrote to memory of 1864	2032	Siparis onayi proforma Fatura.exe	WerFault.exe
PID 2032 wrote to memory of 1864	2032	Siparis onayi proforma Fatura.exe	WerFault.exe
PID 2032 wrote to memory of 1864	2032	Siparis onayi proforma Fatura.exe	WerFault.exe
PID 2032 wrote to memory of 1864	2032	Siparis onayi proforma Fatura.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Siparis onayi proforma Fatura.exe
"C:\Users\Admin\AppData\Local\Temp\Siparis onayi proforma Fatura.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 692
2⤵
- Program crash
PID:1864

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
memory/2032-54-0x0000000001FE0000-0x0000000002012000-memory.dmp

Filesize
200KB

Download
memory/2032-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2032-57-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download