modiloader | 4a38ee3727eb9767f0263318ff0771a6aaa74fc3fcdb618e5eb16ed3a5b0d1a5

Analysis

max time kernel
175s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 08:47

Target

610635f624bc18334f1009bd16a1288b.exe
Size

111KB
MD5

610635f624bc18334f1009bd16a1288b
SHA1

2fd8667eab8e32ba2bfd5765eb0c770f5f4bb8c3
SHA256

4a38ee3727eb9767f0263318ff0771a6aaa74fc3fcdb618e5eb16ed3a5b0d1a5
SHA512

235a5cfa6621e7b5d4f25de5c732aa52797ca1b78fdc42b8d8c29756d164e0f9998271da13dc04c6f722c47c94ce62c8f5b731273397b5bb53a0f981eab1254a
SSDEEP

1536:TtYYYYYYYYYYYLfEWohMkYlETypxmSg3JOTYj4lTfrPkKoEk3ntkB2+NfJxVae:TtYYYYYYYYYYYS2V1gZiU4JP7A2BVhxD

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000400000-0x0000000000423000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	3028	WerFault.exe	4

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2852	3028	610635f624bc18334f1009bd16a1288b.exe	30
PID 3028 wrote to memory of 2852	3028	610635f624bc18334f1009bd16a1288b.exe	30
PID 3028 wrote to memory of 2852	3028	610635f624bc18334f1009bd16a1288b.exe	30
PID 3028 wrote to memory of 2852	3028	610635f624bc18334f1009bd16a1288b.exe	30

C:\Users\Admin\AppData\Local\Temp\610635f624bc18334f1009bd16a1288b.exe
"C:\Users\Admin\AppData\Local\Temp\610635f624bc18334f1009bd16a1288b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 116
  2⤵
  - Program crash
  PID:2852

memory/3028-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download