modiloader | 6a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09

General

Target

0804a8a96641c1fdf34a7bace3e631df.exe
Size

307KB
MD5

0804a8a96641c1fdf34a7bace3e631df
SHA1

b186a9d3fec5a3ce2ff60ae77692baf86d1eecb6
SHA256

6a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09
SHA512

f1f97cfc503f0b35d8ab1e069cc948e21536baa701babb319045ad84bec14060e2854477e31fb6dc9146de0ff9ad440822b5f3835acafcd1b4470a5be5c49e6f
SSDEEP

6144:160drKkUVCjsAJ6QrA+wK5e87AHZ+Z1/uGokN/Fdb65a:Xd9cjRQrhwI73uGhzu5

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1688-14-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2
behavioral1/memory/2904-18-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2
behavioral1/memory/2904-27-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
840	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1688	explorer.bat

Loads dropped DLL 4 IoCs

pid	Process
2904	0804a8a96641c1fdf34a7bace3e631df.exe
2904	0804a8a96641c1fdf34a7bace3e631df.exe
2568	WerFault.exe
2568	WerFault.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\SxDel.bat	0804a8a96641c1fdf34a7bace3e631df.exe
File created	C:\Program Files\explorer.bat	0804a8a96641c1fdf34a7bace3e631df.exe
File opened for modification	C:\Program Files\explorer.bat	0804a8a96641c1fdf34a7bace3e631df.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2568	1688	WerFault.exe	29

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1688	2904	0804a8a96641c1fdf34a7bace3e631df.exe	29
PID 2904 wrote to memory of 1688	2904	0804a8a96641c1fdf34a7bace3e631df.exe	29
PID 2904 wrote to memory of 1688	2904	0804a8a96641c1fdf34a7bace3e631df.exe	29
PID 2904 wrote to memory of 1688	2904	0804a8a96641c1fdf34a7bace3e631df.exe	29
PID 1688 wrote to memory of 2568	1688	explorer.bat	30
PID 1688 wrote to memory of 2568	1688	explorer.bat	30
PID 1688 wrote to memory of 2568	1688	explorer.bat	30
PID 1688 wrote to memory of 2568	1688	explorer.bat	30
PID 2904 wrote to memory of 840	2904	0804a8a96641c1fdf34a7bace3e631df.exe	31
PID 2904 wrote to memory of 840	2904	0804a8a96641c1fdf34a7bace3e631df.exe	31
PID 2904 wrote to memory of 840	2904	0804a8a96641c1fdf34a7bace3e631df.exe	31
PID 2904 wrote to memory of 840	2904	0804a8a96641c1fdf34a7bace3e631df.exe	31

C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df.exe
"C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\explorer.bat
  "C:\Program Files\explorer.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 292
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\SxDel.bat""
  2⤵
  - Deletes itself
  PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SxDel.bat

Filesize
184B

MD5
ac867a12fe7a9f9e28ba4916fc20bc0c

SHA1
06837a9f6198a5cfddb31370f352a300708fce03

SHA256
aa2aece8cc2fb34ccf343f5da43348b7dc12d4055cbf8fe116d91ac27ad1f59a

SHA512
224eb84a4bca6edd7a8e6efe2d5c2a3172598e50cf48a4af86a5052fc3b342a33ed78d73f78cdd7fa977ef21e03c863acfc56639021e77964c4f3d4eb97f4de8

Download Submit
\Program Files\explorer.bat

Filesize
23KB

MD5
c4a960dce472dcdd91b5bbedac9352a4

SHA1
3ee9a6cbcec823c14713f5247d2addf54c0074ca

SHA256
1d206e23b24897632376fd3731e3feab2ba96116cad81acea6a29954d9ac56a1

SHA512
40fe61c5270bd120f95c016761955a3dcf879a23b60732bc640d80316a34d3085b67436ee6d2d565bee7ea99fd64a5d16ee2a16615bcdf54d78ec6bde7b8d41d

Download Submit
\Program Files\explorer.bat

Filesize
86KB

MD5
ea4f1e768098341a18ca6288e1edfa9c

SHA1
2b2f7e3d3fece99c237703836defea312dd5f865

SHA256
9e0ec242503f8408531df73ea85239b934966a1c71127fa2bbf193825d351413

SHA512
05f8b1c38097b366c9f7cdaba96b0e1aa74329331d08be147d3ce02b46258da29c74f1a9c2874b948fbd055d3480a307996a8383511313d57bc2c258dd48afd3

Download Submit
\Program Files\explorer.bat

Filesize
307KB

MD5
0804a8a96641c1fdf34a7bace3e631df

SHA1
b186a9d3fec5a3ce2ff60ae77692baf86d1eecb6

SHA256
6a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09

SHA512
f1f97cfc503f0b35d8ab1e069cc948e21536baa701babb319045ad84bec14060e2854477e31fb6dc9146de0ff9ad440822b5f3835acafcd1b4470a5be5c49e6f

Download Submit
memory/1688-15-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1688-14-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/2904-12-0x0000000002DD0000-0x0000000002F24000-memory.dmp

Filesize
1.3MB

Download
memory/2904-13-0x0000000002DD0000-0x0000000002F24000-memory.dmp

Filesize
1.3MB

Download
memory/2904-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2904-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2904-18-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/2904-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2904-0-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/2904-27-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing