modiloader | efb39b0e36f7e7ef1094eca4eeac8bf70843f750e55b15e7ac0adcd6e5fa5b95

Analysis

max time kernel
144s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 03:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

261b0151af5723bcba3cd7127fa18f64.exe
Size

552KB
MD5

261b0151af5723bcba3cd7127fa18f64
SHA1

ffbe98b013d32694bc43553c8d1538930aedc751
SHA256

efb39b0e36f7e7ef1094eca4eeac8bf70843f750e55b15e7ac0adcd6e5fa5b95
SHA512

46d542c904269c9085a7a0b3f09d410ca809d865aa832139ad72c67e629bc9fcb680b2c239e20b792b5de5cf00fe74092210af711d7f102f4f9f10f7daff992f
SSDEEP

12288:CXLb86petEsayw+0wtKaOsi/5gJS20Sm:wX81t11VOR/

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral2/memory/3216-0-0x0000000000400000-0x0000000000491000-memory.dmp	modiloader_stage2
behavioral2/memory/3216-12-0x0000000000400000-0x0000000000491000-memory.dmp	modiloader_stage2
behavioral2/memory/3608-10-0x0000000000400000-0x0000000000491000-memory.dmp	modiloader_stage2
behavioral2/memory/3608-7-0x0000000000400000-0x0000000000491000-memory.dmp	modiloader_stage2
behavioral2/files/0x000600000002321b-6.dat	modiloader_stage2
behavioral2/files/0x000600000002321b-5.dat	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3608	svchost

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost	261b0151af5723bcba3cd7127fa18f64.exe
File opened for modification	C:\Windows\SysWOW64\svchost	261b0151af5723bcba3cd7127fa18f64.exe
File opened for modification	C:\Windows\SysWOW64\svchost	svchost
File created	C:\Windows\SysWOW64\Deleteme.bat	261b0151af5723bcba3cd7127fa18f64.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 3608	3216	261b0151af5723bcba3cd7127fa18f64.exe	52
PID 3216 wrote to memory of 3608	3216	261b0151af5723bcba3cd7127fa18f64.exe	52
PID 3216 wrote to memory of 3608	3216	261b0151af5723bcba3cd7127fa18f64.exe	52
PID 3216 wrote to memory of 3312	3216	261b0151af5723bcba3cd7127fa18f64.exe	54
PID 3216 wrote to memory of 3312	3216	261b0151af5723bcba3cd7127fa18f64.exe	54
PID 3216 wrote to memory of 3312	3216	261b0151af5723bcba3cd7127fa18f64.exe	54

C:\Users\Admin\AppData\Local\Temp\261b0151af5723bcba3cd7127fa18f64.exe
"C:\Users\Admin\AppData\Local\Temp\261b0151af5723bcba3cd7127fa18f64.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\SysWOW64\svchost
  C:\Windows\system32\svchost
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:3312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
1b72bceec862f12f5c9358fd97d1db41

SHA1
4c642c381a38c99f60168500dafe65d44c4613f0

SHA256
d2388422d5d64c983961cf74410e9e472a170c4585be5f8597f0060240b52671

SHA512
8ef27c047056ca066cc5003993fa96231bda6d0383619a02b4170addf88d76722f904ba33997d127451718db7944e98f21b80d483d16e97d7c873e4560030e2b

Download Submit
C:\Windows\SysWOW64\svchost

Filesize
87KB

MD5
f75e88b52d8d69747a2f4f1eb3f4f331

SHA1
1f82ee6c5778de57b4d042d373ea2045979f1cf0

SHA256
a6224608dd512b15e9cc9a29b2fc8d9cf2be385cf22f7a413967176085983fd5

SHA512
50db23351b90403888a1bb0eac6cca3a23b3d93167dce67b39b05e08f0a9d75f04736f610580bdf85b4ca43413f815b6780f0678baa92ff3e8dfccf40e5da7cc

Download Submit
C:\Windows\SysWOW64\svchost

Filesize
63KB

MD5
ddc99aea6bcb2eef55c434b3c47d281d

SHA1
3f679b02c242415b2bcddf38bf658478834b208b

SHA256
8b27cdc817d1f059bf328f8ee7beff5b8fa7f5837fde42c108b944a4b544eebe

SHA512
8ceeb171c786f5c94b3562ffa5f7fd8bc0645c704c223248e02a894e025bdfadae35d7f3b1490dc246a036f6ff18fbc3483cce1e9895ee7ed115ed74dd921a50

Download Submit
memory/3216-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3216-1-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3216-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3608-8-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3608-10-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3608-7-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads