modiloader | 76145dd8fc5f8c21d79d3fa02252e3006fc43d57a87cbc974e51b4975bc10d7e

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-12-2023 07:26

Target

PI and payment confirmed pdf.exe
Size

1.5MB
MD5

e7a6ceb1e92d347de7fc59f2bdaaa983
SHA1

cbb2980d5fefd1dc982ed46346150b401df81ab0
SHA256

76145dd8fc5f8c21d79d3fa02252e3006fc43d57a87cbc974e51b4975bc10d7e
SHA512

315feb761bb85df9fcb8f67519d602ba39cdaf9c979b8e54616a61d4f4c4045bda5f156d9fb76def2bdc78608611856d9d67764c83107e5c0210d5acd58ae7cb
SSDEEP

24576:raVRQ9cDptbr5YQrM+EOFQCX6QmBiv3aBELJhWEH7VkHG5GJtr:raXt2aM+EMQCvXL7VsG5WR

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2872-2-0x0000000003690000-0x0000000004690000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3032 2872 WerFault.exe PI and payment confirmed pdf.exe

pid	pid_target	process	target process
3032	2872	WerFault.exe	PI and payment confirmed pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

PI and payment confirmed pdf.exe

description	pid	process	target process
PID 2872 wrote to memory of 3032	2872	PI and payment confirmed pdf.exe	WerFault.exe
PID 2872 wrote to memory of 3032	2872	PI and payment confirmed pdf.exe	WerFault.exe
PID 2872 wrote to memory of 3032	2872	PI and payment confirmed pdf.exe	WerFault.exe
PID 2872 wrote to memory of 3032	2872	PI and payment confirmed pdf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 804
2⤵
- Program crash
PID:3032

memory/2872-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2872-1-0x0000000003690000-0x0000000004690000-memory.dmp

Filesize
16.0MB

Download
memory/2872-2-0x0000000003690000-0x0000000004690000-memory.dmp

Filesize
16.0MB

Download
memory/2872-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2872-5-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download