modiloader | 7a67af69c0eb49de2263832528b47cce7b0d078e182339b3c2dfd633cf4bce22

Analysis

max time kernel
126s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 02:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Signed PI and Payment Order e.exe
Size

1.3MB
MD5

a05dd63e8340689e591dd9af542ebf06
SHA1

981eeb1019890710d4ea6f1b42cc3afe4adf1017
SHA256

4d5498e7aba7dcafa3c1ccd494fa7bafb6d8ebaaf5c854168a9de5f1b7602e0d
SHA512

703e68342046894a6453c15cab080923e96cf7e545fd45b45dfaba36470e950db54822a49cce17ca656f64372066ad7d867e5dd466299c57ec7ac0839492348b
SSDEEP

24576:6JlDoyUj2DceiZF5NIcbjAYKUx7ADHxOx4yHR7eTKwxK5K2TKEDDNuhoU:6J1sPVAYdA7khFEacMz8oU

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/3316-1-0x0000000004080000-0x0000000005080000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	3316	WerFault.exe	84

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

C:\Users\Admin\AppData\Local\Temp\Signed PI and Payment Order e.exe
"C:\Users\Admin\AppData\Local\Temp\Signed PI and Payment Order e.exe"
1⤵
PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1816
  2⤵
  - Program crash
  PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3316 -ip 3316
1⤵
PID:3064

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

onedrive.live.com

Signed PI and Payment Order e.exe

Remote address:

8.8.8.8:53

Request

onedrive.live.com

IN A

Response

onedrive.live.com

IN CNAME

web.fe.1drv.com

web.fe.1drv.com

IN CNAME

odc-web-geo.onedrive.akadns.net

odc-web-geo.onedrive.akadns.net

IN CNAME

odc-web-brs.onedrive.akadns.net

odc-web-brs.onedrive.akadns.net

IN CNAME

odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net

odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net

IN CNAME

l-0004.l-msedge.net

l-0004.l-msedge.net

IN A

13.107.42.13
GET

https://onedrive.live.com/download?resid=E0CF7F9E6AAF27EF%211826&authkey=!AMsmXbaeBx9WdQY

Signed PI and Payment Order e.exe

Remote address:

13.107.42.13:443

Request

GET /download?resid=E0CF7F9E6AAF27EF%211826&authkey=!AMsmXbaeBx9WdQY HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: onedrive.live.com

Response

HTTP/1.1 302 Found

Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://vew5pq.ph.files.1drv.com/y4mYE6FY88KCRhG6qNejzhXp-ktZglQnd-odBox7E8H-WmCyPpfDUloeXw4bgvrlQHIx0-VwW8CO20b_gtplKzEGergzu7N7_d6ydlND8ohDjLxOLPR1pMTcLN3bVty3LaEwRNrmjdSeY6ACUko_IwiQ0z3J-f9Pn6PGZAX6dEvTP5xCx1qWI9-dtRC64qPRB44-k7vm-vYxYd2zSrElGAQBw/255_Zjnbfanqmmd?download&psid=1
Set-Cookie: E=P:KI/JYVyr24g=:l4o57p0aCTuUfLvuZjPkxwwov/YE/AaqBZ5zGhArxY4=:F; domain=.live.com; path=/
Set-Cookie: xid=59e8869b-9e65-4d67-914e-40594222e3b7&&RD0003FF11B32C&290; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Sat, 02-Sep-2023 00:49:06 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Sat, 09-Sep-2023 02:29:07 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD0003FF11B32C
X-ODWebServer: centralus1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: CA2EB404311141DBAB47F47D85645E4C Ref B: BRU30EDGE0810 Ref C: 2023-09-02T02:29:06Z
Date: Sat, 02 Sep 2023 02:29:06 GMT
Content-Length: 0
DNS

vew5pq.ph.files.1drv.com

Signed PI and Payment Order e.exe

Remote address:

8.8.8.8:53

Request

vew5pq.ph.files.1drv.com

IN A
DNS

vew5pq.ph.files.1drv.com

Signed PI and Payment Order e.exe

Remote address:

8.8.8.8:53

Request

vew5pq.ph.files.1drv.com

IN A
DNS

vew5pq.ph.files.1drv.com

Signed PI and Payment Order e.exe

Remote address:

8.8.8.8:53

Request

vew5pq.ph.files.1drv.com

IN A
DNS

vew5pq.ph.files.1drv.com

Signed PI and Payment Order e.exe

Remote address:

8.8.8.8:53

Request

vew5pq.ph.files.1drv.com

IN A
DNS

vew5pq.ph.files.1drv.com

Signed PI and Payment Order e.exe

Remote address:

8.8.8.8:53

Request

vew5pq.ph.files.1drv.com

IN A
DNS

13.42.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.42.107.13.in-addr.arpa

IN PTR

Response
DNS

onedrive.live.com

Signed PI and Payment Order e.exe

Remote address:

8.8.8.8:53

Request

onedrive.live.com

IN A

Response

onedrive.live.com

IN CNAME

web.fe.1drv.com

web.fe.1drv.com

IN CNAME

odc-web-geo.onedrive.akadns.net

odc-web-geo.onedrive.akadns.net

IN CNAME

odc-web-brs.onedrive.akadns.net

odc-web-brs.onedrive.akadns.net

IN CNAME

odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net

odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net

IN CNAME

l-0004.l-msedge.net

l-0004.l-msedge.net

IN A

13.107.42.13
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

123.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.10.44.20.in-addr.arpa

IN PTR

Response

13.107.42.13:443

https://onedrive.live.com/download?resid=E0CF7F9E6AAF27EF%211826&authkey=!AMsmXbaeBx9WdQY

tls, http

Signed PI and Payment Order e.exe

1.0kB
8.1kB
10
11

HTTP Request

GET https://onedrive.live.com/download?resid=E0CF7F9E6AAF27EF%211826&authkey=!AMsmXbaeBx9WdQY

HTTP Response

302

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

onedrive.live.com

dns

Signed PI and Payment Order e.exe

63 B
268 B
1
1

DNS Request

onedrive.live.com

DNS Response

13.107.42.13
8.8.8.8:53

vew5pq.ph.files.1drv.com

dns

Signed PI and Payment Order e.exe

350 B
5

DNS Request

vew5pq.ph.files.1drv.com

DNS Request

vew5pq.ph.files.1drv.com

DNS Request

vew5pq.ph.files.1drv.com

DNS Request

vew5pq.ph.files.1drv.com

DNS Request

vew5pq.ph.files.1drv.com
8.8.8.8:53

13.42.107.13.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.42.107.13.in-addr.arpa
8.8.8.8:53

onedrive.live.com

dns

Signed PI and Payment Order e.exe

63 B
268 B
1
1

DNS Request

onedrive.live.com

DNS Response

13.107.42.13
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

123.10.44.20.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

123.10.44.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3316-0-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3316-1-0x0000000004080000-0x0000000005080000-memory.dmp

Filesize
16.0MB

Download
memory/3316-3-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3316-4-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.