modiloader | ae1b55aa3f0c75be1762c9b24d08f8e6a60f07432d902db0d91f780c85c9b50e

General

Target

2bff344cba5116badb0c46b76ded294d.exe
Size

665KB
MD5

2bff344cba5116badb0c46b76ded294d
SHA1

dbd3cd8902d2ca439a887dff575d059512671058
SHA256

ae1b55aa3f0c75be1762c9b24d08f8e6a60f07432d902db0d91f780c85c9b50e
SHA512

ef7227ecd9d60e280a4cb9cd5311b0199f6b199058c5cb5a8c3d397f1900a5da8ae9d6845eda17b320d8f4ff623be2c70e373ead8dc9c1cc3607aeab27b65229
SSDEEP

12288:Z6UdkreRflYDlYwG1X7L1UIOX+aoUhF3Z4mxxRDqVTVOCE:Z6UkSlYRYzL1UIyOUhQmXYVTzE

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/memory/2172-11-0x0000000003360000-0x0000000003417000-memory.dmp	modiloader_stage2
behavioral1/memory/2172-21-0x00000000040B0000-0x00000000041C8000-memory.dmp	modiloader_stage2
behavioral1/memory/2816-25-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2
behavioral1/memory/2172-27-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2
behavioral1/memory/2172-42-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	sys.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SxingDel.bat	2bff344cba5116badb0c46b76ded294d.exe
File created	C:\Windows\sys.exe	2bff344cba5116badb0c46b76ded294d.exe
File opened for modification	C:\Windows\sys.exe	2bff344cba5116badb0c46b76ded294d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	2816	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2816	2172	2bff344cba5116badb0c46b76ded294d.exe	28
PID 2172 wrote to memory of 2816	2172	2bff344cba5116badb0c46b76ded294d.exe	28
PID 2172 wrote to memory of 2816	2172	2bff344cba5116badb0c46b76ded294d.exe	28
PID 2172 wrote to memory of 2816	2172	2bff344cba5116badb0c46b76ded294d.exe	28
PID 2816 wrote to memory of 2708	2816	sys.exe	29
PID 2816 wrote to memory of 2708	2816	sys.exe	29
PID 2816 wrote to memory of 2708	2816	sys.exe	29
PID 2816 wrote to memory of 2708	2816	sys.exe	29
PID 2172 wrote to memory of 2952	2172	2bff344cba5116badb0c46b76ded294d.exe	32
PID 2172 wrote to memory of 2952	2172	2bff344cba5116badb0c46b76ded294d.exe	32
PID 2172 wrote to memory of 2952	2172	2bff344cba5116badb0c46b76ded294d.exe	32
PID 2172 wrote to memory of 2952	2172	2bff344cba5116badb0c46b76ded294d.exe	32

C:\Users\Admin\AppData\Local\Temp\2bff344cba5116badb0c46b76ded294d.exe
"C:\Users\Admin\AppData\Local\Temp\2bff344cba5116badb0c46b76ded294d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\sys.exe
  C:\Windows\sys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 312
    3⤵
    - Program crash
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SxingDel.bat
  2⤵
  - Deletes itself
  PID:2952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SxingDel.bat

Filesize
184B

MD5
a4020402b4ed59a04c92635f34b3277f

SHA1
09d66e29fc2bf75a1fb5f23546a45536debc6c5f

SHA256
d4f0cceb6c9b09cb270736eb3d85da35ad915e899ba9e5e41665265c8c73f81f

SHA512
9a09a25e5b797d925f14e894e611ba518aaf3b8c8d824c2e8ba792c7d19a7461f259c25622432e5207c49c5b49fbbfc1e47cff91f1dccb65bea9cd54912818a5

Download Submit
C:\Windows\sys.exe

Filesize
665KB

MD5
2bff344cba5116badb0c46b76ded294d

SHA1
dbd3cd8902d2ca439a887dff575d059512671058

SHA256
ae1b55aa3f0c75be1762c9b24d08f8e6a60f07432d902db0d91f780c85c9b50e

SHA512
ef7227ecd9d60e280a4cb9cd5311b0199f6b199058c5cb5a8c3d397f1900a5da8ae9d6845eda17b320d8f4ff623be2c70e373ead8dc9c1cc3607aeab27b65229

Download Submit
memory/2172-15-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/2172-4-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2172-10-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2172-8-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2172-7-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2172-5-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2172-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2172-3-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2172-2-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2172-11-0x0000000003360000-0x0000000003417000-memory.dmp

Filesize
732KB

Download
memory/2172-9-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/2172-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2172-42-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2172-6-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2172-21-0x00000000040B0000-0x00000000041C8000-memory.dmp

Filesize
1.1MB

Download
memory/2172-23-0x00000000040B0000-0x00000000041C8000-memory.dmp

Filesize
1.1MB

Download
memory/2172-16-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x0000000000320000-0x0000000000374000-memory.dmp

Filesize
336KB

Download
memory/2172-32-0x00000000040B0000-0x00000000041C8000-memory.dmp

Filesize
1.1MB

Download
memory/2172-27-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2172-29-0x0000000000320000-0x0000000000374000-memory.dmp

Filesize
336KB

Download
memory/2816-25-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2816-26-0x00000000002C0000-0x0000000000314000-memory.dmp

Filesize
336KB

Download
memory/2816-24-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing