modiloader | 5c32dd84a20a1c892702433f5cad7c0cf14dcf62df6ce5bc3f6ec3afdbaba178

General

Target

41e90b9cb286e2be25ac95d3e7180e28.exe
Size

420KB
MD5

41e90b9cb286e2be25ac95d3e7180e28
SHA1

4bce3594dd2709a9ca1e1a580b022556794f1f2a
SHA256

5c32dd84a20a1c892702433f5cad7c0cf14dcf62df6ce5bc3f6ec3afdbaba178
SHA512

f5aa04b8903d037d768907698c506a97496f880752671cbd88449f307327a4c9fdbdd46f201e3875bf34aa41a0d496faa10a4d14a1a3083f48e2b43e6b010d9a
SSDEEP

12288:D18E+ESMbk2ZcVxG0qRJopA8ZwYqwTYb4f:v6Ak2Zcu0mJoiZYqwTYb4f

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/2792-1-0x0000000000400000-0x00000000004C103E-memory.dmp	modiloader_stage2
behavioral1/memory/2792-5-0x0000000000400000-0x00000000004C103E-memory.dmp	modiloader_stage2
behavioral1/memory/2792-11-0x0000000000400000-0x00000000004C103E-memory.dmp	modiloader_stage2
behavioral1/memory/1968-20-0x0000000000400000-0x00000000004C103E-memory.dmp	modiloader_stage2
behavioral1/memory/1968-35-0x0000000000400000-0x00000000004C103E-memory.dmp	modiloader_stage2
behavioral1/memory/2792-42-0x0000000000400000-0x00000000004C103E-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1272	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1968	rejoice082.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	41e90b9cb286e2be25ac95d3e7180e28.exe
2792	41e90b9cb286e2be25ac95d3e7180e28.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice082.exe	rejoice082.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice082.exe	rejoice082.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 700	1968	rejoice082.exe	30

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice082.exe	41e90b9cb286e2be25ac95d3e7180e28.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice082.exe	41e90b9cb286e2be25ac95d3e7180e28.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	41e90b9cb286e2be25ac95d3e7180e28.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1968	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	29
PID 2792 wrote to memory of 1968	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	29
PID 2792 wrote to memory of 1968	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	29
PID 2792 wrote to memory of 1968	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	29
PID 1968 wrote to memory of 700	1968	rejoice082.exe	30
PID 1968 wrote to memory of 700	1968	rejoice082.exe	30
PID 1968 wrote to memory of 700	1968	rejoice082.exe	30
PID 1968 wrote to memory of 700	1968	rejoice082.exe	30
PID 1968 wrote to memory of 700	1968	rejoice082.exe	30
PID 1968 wrote to memory of 700	1968	rejoice082.exe	30
PID 1968 wrote to memory of 1680	1968	rejoice082.exe	31
PID 1968 wrote to memory of 1680	1968	rejoice082.exe	31
PID 1968 wrote to memory of 1680	1968	rejoice082.exe	31
PID 1968 wrote to memory of 1680	1968	rejoice082.exe	31
PID 2792 wrote to memory of 1272	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	32
PID 2792 wrote to memory of 1272	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	32
PID 2792 wrote to memory of 1272	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	32
PID 2792 wrote to memory of 1272	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	32
PID 2792 wrote to memory of 1272	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	32
PID 2792 wrote to memory of 1272	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	32
PID 2792 wrote to memory of 1272	2792	41e90b9cb286e2be25ac95d3e7180e28.exe	32

C:\Users\Admin\AppData\Local\Temp\41e90b9cb286e2be25ac95d3e7180e28.exe
"C:\Users\Admin\AppData\Local\Temp\41e90b9cb286e2be25ac95d3e7180e28.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice082.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice082.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:700
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
  2⤵
  - Deletes itself
  PID:1272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SetupDel.bat

Filesize
184B

MD5
cae504e87648e829e68bb5932915fa4f

SHA1
d4dd676c274c1bf98f1b9e42f8a888f24f83104b

SHA256
0e37029ea9b7f3183b36b4a0e9561f8425858670537f7c671ca69400d54a1dd1

SHA512
9197ea4902965ebdc1bd189bd00440da9ed3ddda94df56319b66ebd665a0b91c1006527976d6ba646fac5becf0a7c06e22bd3a1d4e11963aba23eaf1df4dc04d

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice082.exe

Filesize
420KB

MD5
41e90b9cb286e2be25ac95d3e7180e28

SHA1
4bce3594dd2709a9ca1e1a580b022556794f1f2a

SHA256
5c32dd84a20a1c892702433f5cad7c0cf14dcf62df6ce5bc3f6ec3afdbaba178

SHA512
f5aa04b8903d037d768907698c506a97496f880752671cbd88449f307327a4c9fdbdd46f201e3875bf34aa41a0d496faa10a4d14a1a3083f48e2b43e6b010d9a

Download Submit
memory/700-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1968-20-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/1968-35-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/1968-25-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2792-5-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/2792-24-0x0000000002010000-0x00000000020D2000-memory.dmp

Filesize
776KB

Download
memory/2792-18-0x0000000002010000-0x00000000020D2000-memory.dmp

Filesize
776KB

Download
memory/2792-11-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/2792-0-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/2792-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2792-1-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download
memory/2792-42-0x0000000000400000-0x00000000004C103E-memory.dmp

Filesize
772KB

Download

Analysis

Sharing