modiloader | 4f7b25d22322329d95411b2eff1ea5b4466e1163067dcf07aa9ace5584b11fe1

Analysis

max time kernel
188s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 11:55

Target

10b304dfe3b1e67678ffd18f7c1d0760.exe
Size

199KB
MD5

10b304dfe3b1e67678ffd18f7c1d0760
SHA1

93d32b40423204a10db14bfa20644dd7b8f4bea6
SHA256

4f7b25d22322329d95411b2eff1ea5b4466e1163067dcf07aa9ace5584b11fe1
SHA512

a76da32aef9564f6f9f80807c8bce1e1cee78b5c76328c57e06b71cecf6f569d7338ac7596dc086af17c6d80f8b8e5ee1ea52316c5152f7dc0b71b0debfb6275
SSDEEP

3072:f2prjabNBC+XfYheMtTGBBIhWLpc15UXNxSNTA86PHS6Kout:ona3C+XJMtOqgLpeUVPHSJoS

Score

10^/10

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4360-5-0x0000000000400000-0x000000000048B000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-6-0x0000000000400000-0x000000000048B000-memory.dmp	modiloader_stage2

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4360-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4360-1-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4360-5-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/1924-4-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4360-6-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4360 set thread context of 1924	4360	10b304dfe3b1e67678ffd18f7c1d0760.exe	91

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\dosSetup.txt	10b304dfe3b1e67678ffd18f7c1d0760.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
632	1924	WerFault.exe	91

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 1924	4360	10b304dfe3b1e67678ffd18f7c1d0760.exe	91
PID 4360 wrote to memory of 1924	4360	10b304dfe3b1e67678ffd18f7c1d0760.exe	91
PID 4360 wrote to memory of 1924	4360	10b304dfe3b1e67678ffd18f7c1d0760.exe	91
PID 4360 wrote to memory of 1924	4360	10b304dfe3b1e67678ffd18f7c1d0760.exe	91
PID 4360 wrote to memory of 1924	4360	10b304dfe3b1e67678ffd18f7c1d0760.exe	91

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1924 -ip 1924
1⤵
PID:4236

memory/1924-4-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4360-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4360-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4360-2-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4360-5-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4360-6-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download