modiloader | 79717bbefa00956f137d446b83271ea5df10aa751928be1a4976891447990eed

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 23:46

Target

076eb2db84aebf2350414a657c88f7ff.exe
Size

156KB
MD5

076eb2db84aebf2350414a657c88f7ff
SHA1

03c802c74d4ef1a4df42918aae9455dd0718224f
SHA256

79717bbefa00956f137d446b83271ea5df10aa751928be1a4976891447990eed
SHA512

6572452e509d6a006540b253ef4e7bc100480ea496a49beb6ef1e8101aba7bc7523e4388ca1680d540b2908a680eaa0a04dd5911774ed7f66664253a33062aad
SSDEEP

1536:8sCqYOQXNCU2c0qJQhLTg7DBihrGQeJpFHSOuopPcNT8iB72grQd+oju:EOmNbULTg71ArG1p1SaPcZV7qdFq

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/2668-0-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2
behavioral1/files/0x00070000000186bd-3.dat	modiloader_stage2
behavioral1/memory/2668-9-0x0000000000220000-0x0000000000247000-memory.dmp	modiloader_stage2
behavioral1/memory/2668-14-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2
behavioral1/memory/2716-13-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2
behavioral1/memory/2668-16-0x0000000000220000-0x0000000000247000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2716	wmsj.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	076eb2db84aebf2350414a657c88f7ff.exe
2668	076eb2db84aebf2350414a657c88f7ff.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2716	2668	076eb2db84aebf2350414a657c88f7ff.exe	28
PID 2668 wrote to memory of 2716	2668	076eb2db84aebf2350414a657c88f7ff.exe	28
PID 2668 wrote to memory of 2716	2668	076eb2db84aebf2350414a657c88f7ff.exe	28
PID 2668 wrote to memory of 2716	2668	076eb2db84aebf2350414a657c88f7ff.exe	28

C:\Users\Admin\AppData\Local\Temp\076eb2db84aebf2350414a657c88f7ff.exe
"C:\Users\Admin\AppData\Local\Temp\076eb2db84aebf2350414a657c88f7ff.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668
- C:\RECYCLER\wmsj.exe
  C:\RECYCLER\wmsj.exe
  2⤵
  - Executes dropped EXE
  PID:2716

C:\RECYCLER\video.dll

Filesize
37KB

MD5
efc90757e4df598f033faa078ba289c0

SHA1
c8f52f6d9a1eb7ed953d7d539156569c62c61f66

SHA256
bc92e523187d22cde3508219902f1bee003199ff07bc55a7a7e956e972bf8861

SHA512
b0ae4615fc76de00dd7d0d21e3b72f58ce36cd69a8dd22333fbc65a6729a1bd01e293c9c51243fc769096acb7e9704d0a4165f7aed90e90ac82c13df0735bc6a

Download Submit
\RECYCLER\wmsj.exe

Filesize
156KB

MD5
076eb2db84aebf2350414a657c88f7ff

SHA1
03c802c74d4ef1a4df42918aae9455dd0718224f

SHA256
79717bbefa00956f137d446b83271ea5df10aa751928be1a4976891447990eed

SHA512
6572452e509d6a006540b253ef4e7bc100480ea496a49beb6ef1e8101aba7bc7523e4388ca1680d540b2908a680eaa0a04dd5911774ed7f66664253a33062aad

Download Submit
memory/2668-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2668-9-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2668-15-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2668-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2668-16-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2716-13-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download