modiloader | 3f2651020961acfaba84fc8049f5edd479af3cfab7079f0c9bb12e52dd5f2f8c

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 07:05

Target

11b723557777da86f39e7b65b4ee42df.exe
Size

156KB
MD5

11b723557777da86f39e7b65b4ee42df
SHA1

50eeaf0f00b0c0e3ff01a492e410455d3764a269
SHA256

3f2651020961acfaba84fc8049f5edd479af3cfab7079f0c9bb12e52dd5f2f8c
SHA512

ec3b85efd971d6959233349d179dddeb65ecf75cecc760b4fbd5ef4bdea2b4b7274c861237d2c3fab27559663a519e109d0eb647b2d669a86d5b3da3943fcac9
SSDEEP

1536:bsCqYOQXNCNNWa00qJQhLTg7CCobPtPJpFHSOuopPcuR8Ebs28CW:BOmNJlULTg7+Ptxp1SaPcu2w6p

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/3228-0-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2
behavioral2/files/0x0007000000023209-4.dat	modiloader_stage2
behavioral2/memory/3228-14-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2
behavioral2/memory/1480-17-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1480	wmsj.exe

Loads dropped DLL 2 IoCs

pid	Process
1480	wmsj.exe
1480	wmsj.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1480	wmsj.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 1480	3228	11b723557777da86f39e7b65b4ee42df.exe	87
PID 3228 wrote to memory of 1480	3228	11b723557777da86f39e7b65b4ee42df.exe	87
PID 3228 wrote to memory of 1480	3228	11b723557777da86f39e7b65b4ee42df.exe	87

C:\Users\Admin\AppData\Local\Temp\11b723557777da86f39e7b65b4ee42df.exe
"C:\Users\Admin\AppData\Local\Temp\11b723557777da86f39e7b65b4ee42df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\RECYCLER\wmsj.exe
  C:\RECYCLER\wmsj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1480

C:\RECYCLER\video.dll

Filesize
37KB

MD5
282fc99747c30c211fe88e21de8cb216

SHA1
6b0d356aa7080eca91112d7f75b9b48570dd0709

SHA256
2bc432d27bfdd56176991d7c1b90f01ffe0d2442f5a8041272ea73ee2d241a63

SHA512
889e4d77667d8e1653c6d0c4b5232067ed46d26bf6578132db7a7f95783a1d78bd3ba29626afe2e9a2552585e366d62b52a3f655de30d5a168fe71f13ad0cbc8

Download Submit
C:\RECYCLER\wmsj.exe

Filesize
156KB

MD5
11b723557777da86f39e7b65b4ee42df

SHA1
50eeaf0f00b0c0e3ff01a492e410455d3764a269

SHA256
3f2651020961acfaba84fc8049f5edd479af3cfab7079f0c9bb12e52dd5f2f8c

SHA512
ec3b85efd971d6959233349d179dddeb65ecf75cecc760b4fbd5ef4bdea2b4b7274c861237d2c3fab27559663a519e109d0eb647b2d669a86d5b3da3943fcac9

Download Submit
memory/1480-11-0x00000000004B0000-0x00000000004BF000-memory.dmp

Filesize
60KB

Download
memory/1480-15-0x00000000004B0000-0x00000000004BF000-memory.dmp

Filesize
60KB

Download
memory/1480-17-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3228-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3228-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download