modiloader | 4b45485c38d938d10fa08d306088ce8d3594fca4f93550ad8f51da5ed1fa9ac9

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 07:53

Target

12afb327aca7c5a3804ef419fe7748be.exe
Size

22KB
MD5

12afb327aca7c5a3804ef419fe7748be
SHA1

6f2b2e4722eac83c6b60189b12b5034789475290
SHA256

4b45485c38d938d10fa08d306088ce8d3594fca4f93550ad8f51da5ed1fa9ac9
SHA512

539db7a22a70f3b2fc8339b8fa4253cfab20381d1479e02c50e7ce92b36d86fc04d0cd823c44aff7abbe0261b3811b640d88f8e8de464a6e4b4fbd096e86e9a4
SSDEEP

384:Mk7+GOuV7pIIP943hYNA2zB1HDnpirQx+iOxntpJXPVKMx2vugTtK4/RP5/7:My+oa094RYN5v4sxXOxnHFPVKMQvrtjp

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2208-1-0x0000000000400000-0x000000000041E000-memory.dmp	modiloader_stage2
behavioral1/memory/2208-23-0x0000000000400000-0x000000000041E000-memory.dmp	modiloader_stage2
behavioral1/memory/2368-22-0x0000000000400000-0x000000000041E000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2368	WinRaR.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	12afb327aca7c5a3804ef419fe7748be.exe
2208	12afb327aca7c5a3804ef419fe7748be.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinRaR\	12afb327aca7c5a3804ef419fe7748be.exe
File created	C:\Windows\WinRaR\WinRaR.exe	12afb327aca7c5a3804ef419fe7748be.exe
File opened for modification	C:\Windows\WinRaR\WinRaR.exe	12afb327aca7c5a3804ef419fe7748be.exe
File created	C:\Windows\WinRaR\WinRaR.dll	12afb327aca7c5a3804ef419fe7748be.exe
File opened for modification	C:\Windows\WinRaR\	WinRaR.exe
File created	C:\Windows\WinRaR\WinRaR.exe	WinRaR.exe
File created	C:\Windows\WinRaR\WinRaR.dll	WinRaR.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2368	2208	12afb327aca7c5a3804ef419fe7748be.exe	28
PID 2208 wrote to memory of 2368	2208	12afb327aca7c5a3804ef419fe7748be.exe	28
PID 2208 wrote to memory of 2368	2208	12afb327aca7c5a3804ef419fe7748be.exe	28
PID 2208 wrote to memory of 2368	2208	12afb327aca7c5a3804ef419fe7748be.exe	28

C:\Windows\WinRaR\WinRaR.dll

Filesize
27KB

MD5
63fc1e1a519eb5cf6e267221415f524b

SHA1
efe8296d329a7a9e35b6567525af22ced15031cc

SHA256
3567f24014f0ad244315787fd099a7625aee64b3bac0e87343b37e9b94036c39

SHA512
b0635d3b77da3faef35c68501e20b4c72e303756f7d48fc4bc499d1ad4a544f42ef8ca729c66cfc5f5abe257574cc4e0e2ccc9412ac79de24dac95407dc769df

Download Submit
\Windows\WinRaR\WinRaR.exe

Filesize
22KB

MD5
12afb327aca7c5a3804ef419fe7748be

SHA1
6f2b2e4722eac83c6b60189b12b5034789475290

SHA256
4b45485c38d938d10fa08d306088ce8d3594fca4f93550ad8f51da5ed1fa9ac9

SHA512
539db7a22a70f3b2fc8339b8fa4253cfab20381d1479e02c50e7ce92b36d86fc04d0cd823c44aff7abbe0261b3811b640d88f8e8de464a6e4b4fbd096e86e9a4

Download Submit
memory/2208-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-16-0x0000000000280000-0x000000000029E000-memory.dmp

Filesize
120KB

Download
memory/2208-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-11-0x0000000000280000-0x000000000029E000-memory.dmp

Filesize
120KB

Download
memory/2368-19-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2368-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download