modiloader | 174721f9d5861a0415a3128debaa2147ef10dab5552454b5da3e2ae7b01b8033

General

Target

036244e73f392c54c6c70107dd6563a3.exe
Size

720KB
MD5

036244e73f392c54c6c70107dd6563a3
SHA1

6ce030303b1490b7c4dcae5ebe1787951a15ea06
SHA256

174721f9d5861a0415a3128debaa2147ef10dab5552454b5da3e2ae7b01b8033
SHA512

dfe0de63efe212f4a4e7b2edc9357e059b23c421c0b31344cd327e4fa6e7f89e03bdd13acdbcc71e9658c107e2c241eda968ae0dc8aff60bc3ccb9e71ef7d568
SSDEEP

12288:0t31oSg+d+coajNNQGJ7dAjsVE6wpNIyDG:0tpd+coaRglpN6

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral1/memory/1712-16-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2
behavioral1/memory/2080-40-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2
behavioral1/memory/2080-41-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2
behavioral1/memory/2080-42-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2
behavioral1/memory/2080-43-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2
behavioral1/memory/2080-44-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2
behavioral1/memory/2080-45-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2
behavioral1/memory/2080-46-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2
behavioral1/memory/2080-47-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2
behavioral1/memory/2080-48-0x0000000000400000-0x0000000000510000-memory.dmp	modiloader_stage2

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	036244e73f392c54c6c70107dd6563a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	036244e73f392c54c6c70107dd6563a3.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-1-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000d00000001232d-24.dat	upx
behavioral1/memory/2080-20-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1712-16-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000d00000001232d-14.dat	upx
behavioral1/files/0x000d00000001232d-12.dat	upx
behavioral1/memory/2080-40-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2080-41-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2080-42-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2080-43-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2080-44-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2080-45-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2080-46-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2080-47-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2080-48-0x0000000000400000-0x0000000000510000-memory.dmp	upx

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	036244e73f392c54c6c70107dd6563a3.exe

C:\Users\Admin\AppData\Local\Temp\036244e73f392c54c6c70107dd6563a3.exe
"C:\Users\Admin\AppData\Local\Temp\036244e73f392c54c6c70107dd6563a3.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
PID:1712
- C:\Windows\mstwain32.exe
  "C:\Windows\mstwain32.exe"
  2⤵
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mstwain32.exe

Filesize
720KB

MD5
036244e73f392c54c6c70107dd6563a3

SHA1
6ce030303b1490b7c4dcae5ebe1787951a15ea06

SHA256
174721f9d5861a0415a3128debaa2147ef10dab5552454b5da3e2ae7b01b8033

SHA512
dfe0de63efe212f4a4e7b2edc9357e059b23c421c0b31344cd327e4fa6e7f89e03bdd13acdbcc71e9658c107e2c241eda968ae0dc8aff60bc3ccb9e71ef7d568

Download Submit
C:\Windows\mstwain32.exe

Filesize
382KB

MD5
c6e22417350b3f6f8f05d28ac50c6adb

SHA1
080d389936f5310685974dbf46ae5f33b54ab6f8

SHA256
3b784a0b9705e1806f40cd1cfcf0f1b5052daefe8e56593ca7e03dfbdeaa88b3

SHA512
258fccc1477f7f9933e970d601d0c1421fd56eb03562a33b5d60fa9c1053033688db52626198ffcbd3387473bbbddc6cef1ce6bfe1367f079bcb7eacb603faff

Download Submit
C:\Windows\mstwain32.exe

Filesize
92KB

MD5
d870979e12647ff636b19f5652bf4de9

SHA1
2559e6962046c48bbcabfc2b8c5e86c71b50c1f9

SHA256
d25491b0f7df7df562b18d6aa6bd1063401683333ae1d4d5b2f0066555801db3

SHA512
404927e5e4c0fa57d6c604a036385024c75a15dfd8915a042823eb88673e6a42a12adb7a90a0ca430da44bcb38fd5f6de23fa1c46dd971157d804f9c8ae16aa9

Download Submit
memory/1712-0-0x0000000001D60000-0x0000000001DEA000-memory.dmp

Filesize
552KB

Download
memory/1712-9-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/1712-18-0x0000000003130000-0x0000000003240000-memory.dmp

Filesize
1.1MB

Download
memory/1712-6-0x0000000001D60000-0x0000000001DEA000-memory.dmp

Filesize
552KB

Download
memory/1712-15-0x0000000001D60000-0x0000000001DEA000-memory.dmp

Filesize
552KB

Download
memory/1712-16-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1712-1-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-37-0x00000000002B0000-0x000000000033A000-memory.dmp

Filesize
552KB

Download
memory/2080-42-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-39-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2080-20-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-17-0x00000000002B0000-0x000000000033A000-memory.dmp

Filesize
552KB

Download
memory/2080-31-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2080-34-0x00000000763B0000-0x00000000764A0000-memory.dmp

Filesize
960KB

Download
memory/2080-35-0x00000000754E0000-0x00000000754F4000-memory.dmp

Filesize
80KB

Download
memory/2080-32-0x0000000001FD0000-0x0000000001FDE000-memory.dmp

Filesize
56KB

Download
memory/2080-27-0x00000000002B0000-0x000000000033A000-memory.dmp

Filesize
552KB

Download
memory/2080-36-0x00000000002B0000-0x000000000033A000-memory.dmp

Filesize
552KB

Download
memory/2080-40-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-41-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-38-0x0000000075460000-0x0000000075473000-memory.dmp

Filesize
76KB

Download
memory/2080-43-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-44-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-45-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-46-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-47-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-48-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-49-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-50-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-51-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-52-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-53-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2080-54-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing