modiloader | de1a28105c6aa44d9f7a10e86fbaa1bc4fdc4a9ea52a34352b5723f9f678320c

Analysis

max time kernel
241s
max time network
133s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 13:47

Target

Zuyzagrrjiaomn.exe
Size

1.4MB
MD5

4498b4c8b085e4caf5f8ddeaaa09d2f5
SHA1

8cd5a02eed25fbda5f16c1c9ba67013438955649
SHA256

de1a28105c6aa44d9f7a10e86fbaa1bc4fdc4a9ea52a34352b5723f9f678320c
SHA512

ae09b529c07a550cd7b905aafacdc33f0583d168fec57752ac186293d7808ae85b6831be9edeab14598727ae96aa57f1e00e92d48c3a19f2be0d1c303edfa43c
SSDEEP

24576:YlPf8kMO7O7eZ3bXfkGSZr/QTopkgxKJYiTNwQaV:YJHueZ3bnSZr/QTukKiTNXa

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2376-2-0x0000000003090000-0x0000000004090000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2300 2376 WerFault.exe Zuyzagrrjiaomn.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	pid_target	process	target process
2300	2376	WerFault.exe	Zuyzagrrjiaomn.exe

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Zuyzagrrjiaomn.exe

description	pid	process	target process
PID 2376 wrote to memory of 2300	2376	Zuyzagrrjiaomn.exe	WerFault.exe
PID 2376 wrote to memory of 2300	2376	Zuyzagrrjiaomn.exe	WerFault.exe
PID 2376 wrote to memory of 2300	2376	Zuyzagrrjiaomn.exe	WerFault.exe
PID 2376 wrote to memory of 2300	2376	Zuyzagrrjiaomn.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Zuyzagrrjiaomn.exe
"C:\Users\Admin\AppData\Local\Temp\Zuyzagrrjiaomn.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 704
2⤵
- Program crash
PID:2300

memory/2376-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2376-1-0x0000000003090000-0x0000000004090000-memory.dmp

Filesize
16.0MB

Download
memory/2376-2-0x0000000003090000-0x0000000004090000-memory.dmp

Filesize
16.0MB

Download
memory/2376-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2376-5-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download