modiloader | b15a8668037928b4cc574506dc96518162693d531de044e7adf67461a123b1e5

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

2e6d90fb9fb763f7ee8213ff90bf663d
SHA1

c766b1375aa220c3107b62a6cc350eba2f212d0b
SHA256

b15a8668037928b4cc574506dc96518162693d531de044e7adf67461a123b1e5
SHA512

cf87e621932cec3b25e4155ba34aca287be4cd348cb9876bbef58d5aedd95e7be2bb5c20e2e57791fb74a4f9daad725242a9e80181e49c85e740fb795d91a510
SSDEEP

12288:qE8C9kdWdEPv8zuVEdh9a6OLqvabdpmBkt1VEmA00P85Be2fgmv1qsM8HcZG3g5W:qEPudPPOuVsaoAjlD0P83H5M8OG3

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4016-1-0x0000000002B20000-0x0000000003B20000-memory.dmp	modiloader_stage2

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe
PID 4016 wrote to memory of 0	4016	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4016-0-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4016-1-0x0000000002B20000-0x0000000003B20000-memory.dmp

Filesize
16.0MB

Download
memory/4016-3-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/4016-4-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download