modiloader | ae1b55aa3f0c75be1762c9b24d08f8e6a60f07432d902db0d91f780c85c9b50e

General

Target

2bff344cba5116badb0c46b76ded294d.exe
Size

665KB
MD5

2bff344cba5116badb0c46b76ded294d
SHA1

dbd3cd8902d2ca439a887dff575d059512671058
SHA256

ae1b55aa3f0c75be1762c9b24d08f8e6a60f07432d902db0d91f780c85c9b50e
SHA512

ef7227ecd9d60e280a4cb9cd5311b0199f6b199058c5cb5a8c3d397f1900a5da8ae9d6845eda17b320d8f4ff623be2c70e373ead8dc9c1cc3607aeab27b65229
SSDEEP

12288:Z6UdkreRflYDlYwG1X7L1UIOX+aoUhF3Z4mxxRDqVTVOCE:Z6UkSlYRYzL1UIyOUhQmXYVTzE

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral2/memory/3516-13-0x0000000003500000-0x00000000035B7000-memory.dmp	modiloader_stage2
behavioral2/memory/3516-24-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-27-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2
behavioral2/memory/3516-32-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-33-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-34-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
4008	sys.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SxingDel.bat	2bff344cba5116badb0c46b76ded294d.exe
File created	C:\Windows\sys.exe	2bff344cba5116badb0c46b76ded294d.exe
File opened for modification	C:\Windows\sys.exe	2bff344cba5116badb0c46b76ded294d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4344	4008	WerFault.exe	91

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 4008	3516	2bff344cba5116badb0c46b76ded294d.exe	91
PID 3516 wrote to memory of 4008	3516	2bff344cba5116badb0c46b76ded294d.exe	91
PID 3516 wrote to memory of 4008	3516	2bff344cba5116badb0c46b76ded294d.exe	91
PID 4008 wrote to memory of 4436	4008	sys.exe	92
PID 4008 wrote to memory of 4436	4008	sys.exe	92
PID 3516 wrote to memory of 2860	3516	2bff344cba5116badb0c46b76ded294d.exe	102
PID 3516 wrote to memory of 2860	3516	2bff344cba5116badb0c46b76ded294d.exe	102
PID 3516 wrote to memory of 2860	3516	2bff344cba5116badb0c46b76ded294d.exe	102

C:\Users\Admin\AppData\Local\Temp\2bff344cba5116badb0c46b76ded294d.exe
"C:\Users\Admin\AppData\Local\Temp\2bff344cba5116badb0c46b76ded294d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\sys.exe
  C:\Windows\sys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 636
    3⤵
    - Program crash
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SxingDel.bat
  2⤵
  PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4008 -ip 4008
1⤵
PID:3660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SxingDel.bat

Filesize
184B

MD5
a4020402b4ed59a04c92635f34b3277f

SHA1
09d66e29fc2bf75a1fb5f23546a45536debc6c5f

SHA256
d4f0cceb6c9b09cb270736eb3d85da35ad915e899ba9e5e41665265c8c73f81f

SHA512
9a09a25e5b797d925f14e894e611ba518aaf3b8c8d824c2e8ba792c7d19a7461f259c25622432e5207c49c5b49fbbfc1e47cff91f1dccb65bea9cd54912818a5

Download Submit
C:\Windows\sys.exe

Filesize
665KB

MD5
2bff344cba5116badb0c46b76ded294d

SHA1
dbd3cd8902d2ca439a887dff575d059512671058

SHA256
ae1b55aa3f0c75be1762c9b24d08f8e6a60f07432d902db0d91f780c85c9b50e

SHA512
ef7227ecd9d60e280a4cb9cd5311b0199f6b199058c5cb5a8c3d397f1900a5da8ae9d6845eda17b320d8f4ff623be2c70e373ead8dc9c1cc3607aeab27b65229

Download Submit
memory/3516-16-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/3516-32-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3516-3-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3516-5-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3516-6-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/3516-9-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3516-10-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3516-12-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3516-11-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3516-13-0x0000000003500000-0x00000000035B7000-memory.dmp

Filesize
732KB

Download
memory/3516-14-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3516-15-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/3516-4-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3516-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3516-24-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3516-1-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/3516-2-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3516-25-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/4008-21-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/4008-23-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/4008-27-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4008-28-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/4008-22-0x0000000002090000-0x00000000020E4000-memory.dmp

Filesize
336KB

Download
memory/4008-33-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4008-34-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4008-20-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing