modiloader | 7d541256186fb81f8a16fd7f0b5ee7c9a151d2de019f25395b3ab9985ec56d9e

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 21:05

Target

0400103aef56f7c879f1574451b5d51e.exe
Size

516KB
MD5

0400103aef56f7c879f1574451b5d51e
SHA1

a7acfb026cb239c42c9041778c4639791ded25c0
SHA256

7d541256186fb81f8a16fd7f0b5ee7c9a151d2de019f25395b3ab9985ec56d9e
SHA512

fadfe58b29b80259b4ba1f9f46e5984145e87de3096b88c0975204b7164acf1dd428768308668e64dfe15fa64ec38b2144e85cc2af7724e510dbfd39e344ecf0
SSDEEP

6144:hHJq/2D6XF0dnBi8QS4VKkEUzhgyoaAlGCC3fdPYZTrvseAOpxN4T72pUa9rPVlR:q/2mXFJ71VFBZYZcCp74WpUWZYAF

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/files/0x000800000001e712-4.dat	modiloader_stage2
behavioral2/memory/2160-8-0x0000000000400000-0x0000000000488011-memory.dmp	modiloader_stage2
behavioral2/memory/1848-10-0x0000000000400000-0x0000000000488011-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2160	maomao.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\maomao.exe	maomao.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	0400103aef56f7c879f1574451b5d51e.exe
File created	C:\Windows\SysWOW64\maomao.exe	0400103aef56f7c879f1574451b5d51e.exe
File opened for modification	C:\Windows\SysWOW64\maomao.exe	0400103aef56f7c879f1574451b5d51e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2160	1848	0400103aef56f7c879f1574451b5d51e.exe	93
PID 1848 wrote to memory of 2160	1848	0400103aef56f7c879f1574451b5d51e.exe	93
PID 1848 wrote to memory of 2160	1848	0400103aef56f7c879f1574451b5d51e.exe	93
PID 1848 wrote to memory of 4272	1848	0400103aef56f7c879f1574451b5d51e.exe	94
PID 1848 wrote to memory of 4272	1848	0400103aef56f7c879f1574451b5d51e.exe	94
PID 1848 wrote to memory of 4272	1848	0400103aef56f7c879f1574451b5d51e.exe	94

C:\Users\Admin\AppData\Local\Temp\0400103aef56f7c879f1574451b5d51e.exe
"C:\Users\Admin\AppData\Local\Temp\0400103aef56f7c879f1574451b5d51e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\SysWOW64\maomao.exe
  C:\Windows\system32\maomao.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:4272

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
e7716c047f0fce816289231330534936

SHA1
2c5a0990d2d282e05a9a8bf70799fca6790b3f2f

SHA256
1c9e19f962d4912e6a0e526e3dbb36c64f172cb618b7251740f160f0cb3d951c

SHA512
d5835dc79612150999b9f06e9f30b59f36702c2aeb3b9a0b6587127ad0fad55b3ecf1f18a7602eac6495d16da55186db77560bc798ad66579542d7778263c6e8

Download Submit
C:\Windows\SysWOW64\maomao.exe

Filesize
516KB

MD5
0400103aef56f7c879f1574451b5d51e

SHA1
a7acfb026cb239c42c9041778c4639791ded25c0

SHA256
7d541256186fb81f8a16fd7f0b5ee7c9a151d2de019f25395b3ab9985ec56d9e

SHA512
fadfe58b29b80259b4ba1f9f46e5984145e87de3096b88c0975204b7164acf1dd428768308668e64dfe15fa64ec38b2144e85cc2af7724e510dbfd39e344ecf0

Download Submit
memory/1848-0-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1848-10-0x0000000000400000-0x0000000000488011-memory.dmp

Filesize
544KB

Download
memory/2160-6-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2160-8-0x0000000000400000-0x0000000000488011-memory.dmp

Filesize
544KB

Download