modiloader | a475322f26172f4dad7c67d1f01426b31a45afbc448b8b01d3f4d09fb53b2f4f

Analysis

max time kernel
147s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

010017e186c37470c1208876f7bb2db3.exe
Size

26KB
MD5

010017e186c37470c1208876f7bb2db3
SHA1

6ddcc3756f32e75d0e782b832860dc9595326874
SHA256

a475322f26172f4dad7c67d1f01426b31a45afbc448b8b01d3f4d09fb53b2f4f
SHA512

3e30f2aa73576f65470952c71676ee429c4142d0147478fa3a27201fd614834d1fb46eb60c3e5add1392502d33267c7bbed3602366c4d7f15209b29beb46ab42
SSDEEP

384:fdKoA0iaVZAszu/RQ+mLyvXYu5+z0jfSkkn0BzzqNhfF0axPn9qGciTtxs0F4XkA:f4oTHupC2/kgqkk05whcG/LsXkA

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/1844-14-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/3152-17-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3152	winow.exe

Loads dropped DLL 2 IoCs

pid	Process
3152	winow.exe
3152	winow.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\winow.dll	010017e186c37470c1208876f7bb2db3.exe
File created	C:\Windows\winow.exe	010017e186c37470c1208876f7bb2db3.exe
File opened for modification	C:\Windows\winow.exe	010017e186c37470c1208876f7bb2db3.exe
File created	C:\Windows\winow.dll	winow.exe
File created	C:\Windows\winow.exe	winow.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3152	winow.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 3152	1844	010017e186c37470c1208876f7bb2db3.exe	15
PID 1844 wrote to memory of 3152	1844	010017e186c37470c1208876f7bb2db3.exe	15
PID 1844 wrote to memory of 3152	1844	010017e186c37470c1208876f7bb2db3.exe	15

C:\Users\Admin\AppData\Local\Temp\010017e186c37470c1208876f7bb2db3.exe
"C:\Users\Admin\AppData\Local\Temp\010017e186c37470c1208876f7bb2db3.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\winow.exe
  C:\Windows\winow.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\winow.dll

Filesize
33KB

MD5
5e0e81a2ef1a5013e7e3593b165590a0

SHA1
a940fc1e724b61a86acdc232669f0a50775cd840

SHA256
c3fe5505e2c18a9aedf654906184bd21a0ee889908894ca824ec7a6945edcca1

SHA512
4d47dd00a716f0492ddbe0974ba2f906e9602cffec8da61789a5232918abe44216df250bdd1ddcc0b75a3f583520119e4bbf687dfdb116c4336b80921577aa9b

Download Submit
C:\Windows\winow.exe

Filesize
1KB

MD5
44e0ddd48109116d57784ffa1ed11457

SHA1
6d2e5f95e05b61c82064c9316fdb3a3e2154c283

SHA256
5935d9dd269cd45700a9b690ebedf003a79662be858508d5426aa607e2e80857

SHA512
4a42ffd48814deb9de4468ea9f6683aad6a239c212acf0d889e45811a21686c4e3c0e04c46e4baf2a847d5f63d3ba9954cfa157d1f0da9fc30dada2883929e08

Download Submit
C:\Windows\winow.exe

Filesize
26KB

MD5
010017e186c37470c1208876f7bb2db3

SHA1
6ddcc3756f32e75d0e782b832860dc9595326874

SHA256
a475322f26172f4dad7c67d1f01426b31a45afbc448b8b01d3f4d09fb53b2f4f

SHA512
3e30f2aa73576f65470952c71676ee429c4142d0147478fa3a27201fd614834d1fb46eb60c3e5add1392502d33267c7bbed3602366c4d7f15209b29beb46ab42

Download Submit
memory/1844-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1844-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3152-11-0x0000000002140000-0x000000000214E000-memory.dmp

Filesize
56KB

Download
memory/3152-15-0x0000000002140000-0x000000000214E000-memory.dmp

Filesize
56KB

Download
memory/3152-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download