modiloader | 259ec179be1b7362f26ae44c9fae099f421f533717ab8ad21e4f6011ff065625

General

Target

044bb67ef79368248d90297e17ca515e.exe
Size

707KB
MD5

044bb67ef79368248d90297e17ca515e
SHA1

76b621d9f387c5c34b66bf00f9e2444b70c8d93b
SHA256

259ec179be1b7362f26ae44c9fae099f421f533717ab8ad21e4f6011ff065625
SHA512

90bcbab424a6639f928339286ed3a37cfe9a1fb7e1ed9d7df6d3f5a40ea9a84b3399b47dc2316b4c4a0a8f7d265cf6b9d20f1f4a7864068018f0e9558c7941ab
SSDEEP

12288:3Zj/S5Ys9wAKbdVLO+KwtL1kYzz5z4nJ/cwqt0DMT78:pLSD9wA+/p1fd4n+wHMTw

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 21 IoCs

resource	yara_rule
behavioral1/memory/2764-36-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2172-34-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-32-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-31-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2292-28-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2
behavioral1/files/0x0009000000012232-27.dat	modiloader_stage2
behavioral1/memory/2172-10-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2172-8-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2172-7-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2172-6-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2520-5-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2
behavioral1/memory/2172-4-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-37-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-38-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-41-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-45-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-46-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-48-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-52-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-53-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-55-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2292	ggf.exe
2764	ggf.exe

Loads dropped DLL 3 IoCs

pid	Process
2172	044bb67ef79368248d90297e17ca515e.exe
2172	044bb67ef79368248d90297e17ca515e.exe
2292	ggf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 2172	2520	044bb67ef79368248d90297e17ca515e.exe	5
PID 2292 set thread context of 2764	2292	ggf.exe	3

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe	044bb67ef79368248d90297e17ca515e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe	044bb67ef79368248d90297e17ca515e.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2172	2520	044bb67ef79368248d90297e17ca515e.exe	5
PID 2520 wrote to memory of 2172	2520	044bb67ef79368248d90297e17ca515e.exe	5
PID 2520 wrote to memory of 2172	2520	044bb67ef79368248d90297e17ca515e.exe	5
PID 2520 wrote to memory of 2172	2520	044bb67ef79368248d90297e17ca515e.exe	5
PID 2520 wrote to memory of 2172	2520	044bb67ef79368248d90297e17ca515e.exe	5
PID 2520 wrote to memory of 2172	2520	044bb67ef79368248d90297e17ca515e.exe	5
PID 2172 wrote to memory of 2292	2172	044bb67ef79368248d90297e17ca515e.exe	4
PID 2172 wrote to memory of 2292	2172	044bb67ef79368248d90297e17ca515e.exe	4
PID 2172 wrote to memory of 2292	2172	044bb67ef79368248d90297e17ca515e.exe	4
PID 2172 wrote to memory of 2292	2172	044bb67ef79368248d90297e17ca515e.exe	4
PID 2292 wrote to memory of 2764	2292	ggf.exe	3
PID 2292 wrote to memory of 2764	2292	ggf.exe	3
PID 2292 wrote to memory of 2764	2292	ggf.exe	3
PID 2292 wrote to memory of 2764	2292	ggf.exe	3
PID 2292 wrote to memory of 2764	2292	ggf.exe	3
PID 2292 wrote to memory of 2764	2292	ggf.exe	3
PID 2172 wrote to memory of 2704	2172	044bb67ef79368248d90297e17ca515e.exe	2
PID 2172 wrote to memory of 2704	2172	044bb67ef79368248d90297e17ca515e.exe	2
PID 2172 wrote to memory of 2704	2172	044bb67ef79368248d90297e17ca515e.exe	2
PID 2172 wrote to memory of 2704	2172	044bb67ef79368248d90297e17ca515e.exe	2

C:\Windows\SysWOW64\cmd.exe
cmd /c erase /F C:\Users\Admin\AppData\Local\Temp\044bb67ef79368248d90297e17ca515e.exe
1⤵
- Deletes itself
PID:2704

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe"
1⤵
- Executes dropped EXE
PID:2764

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\044bb67ef79368248d90297e17ca515e.exe
C:\Users\Admin\AppData\Local\Temp\044bb67ef79368248d90297e17ca515e.exe
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\044bb67ef79368248d90297e17ca515e.exe
"C:\Users\Admin\AppData\Local\Temp\044bb67ef79368248d90297e17ca515e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ggf.exe

Filesize
707KB

MD5
044bb67ef79368248d90297e17ca515e

SHA1
76b621d9f387c5c34b66bf00f9e2444b70c8d93b

SHA256
259ec179be1b7362f26ae44c9fae099f421f533717ab8ad21e4f6011ff065625

SHA512
90bcbab424a6639f928339286ed3a37cfe9a1fb7e1ed9d7df6d3f5a40ea9a84b3399b47dc2316b4c4a0a8f7d265cf6b9d20f1f4a7864068018f0e9558c7941ab

Download Submit
memory/2172-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2172-34-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2172-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-2-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2172-4-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2172-10-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2172-9-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2172-8-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2172-7-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2292-28-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2520-5-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2764-40-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2764-36-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-32-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-33-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2764-37-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-38-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-31-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-41-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-48-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-46-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-45-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-52-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-53-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2764-55-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing