modiloader | bfd001eae6d9428aa243863fd648d981f93244cfb1b679eee3f1d346acd0bdd3

General

Target

5015334c283253e46262ee34b2aa8568.exe
Size

306KB
MD5

5015334c283253e46262ee34b2aa8568
SHA1

c95d12e199de8f756f671d21d60e1617b6f2ca73
SHA256

bfd001eae6d9428aa243863fd648d981f93244cfb1b679eee3f1d346acd0bdd3
SHA512

62a078b67aa6b526eb268e5a2736d2c0b0adbe0105ad86944ee17d03292e2d953eab43f6a1c478fb76ffc2729874bfdd1ed96ef068353694763d6f0b16bdad5b
SSDEEP

6144:q60MvQFgGKfNzBhshSbsJFnInBOKql0sKFsxP+DqmNfKqxuGcKHrmG6:8zgFt64sJFKqCnOxdqSqxuGPrB6

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/456-18-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2
behavioral1/memory/2788-20-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2
behavioral1/memory/456-28-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	explorer.bat

Loads dropped DLL 4 IoCs

pid	Process
456	5015334c283253e46262ee34b2aa8568.exe
456	5015334c283253e46262ee34b2aa8568.exe
2744	WerFault.exe
2744	WerFault.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\explorer.bat	5015334c283253e46262ee34b2aa8568.exe
File opened for modification	C:\Program Files\explorer.bat	5015334c283253e46262ee34b2aa8568.exe
File created	C:\Program Files\SxDel.bat	5015334c283253e46262ee34b2aa8568.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2788	WerFault.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 2788	456	5015334c283253e46262ee34b2aa8568.exe	28
PID 456 wrote to memory of 2788	456	5015334c283253e46262ee34b2aa8568.exe	28
PID 456 wrote to memory of 2788	456	5015334c283253e46262ee34b2aa8568.exe	28
PID 456 wrote to memory of 2788	456	5015334c283253e46262ee34b2aa8568.exe	28
PID 2788 wrote to memory of 2744	2788	explorer.bat	29
PID 2788 wrote to memory of 2744	2788	explorer.bat	29
PID 2788 wrote to memory of 2744	2788	explorer.bat	29
PID 2788 wrote to memory of 2744	2788	explorer.bat	29
PID 456 wrote to memory of 2668	456	5015334c283253e46262ee34b2aa8568.exe	30
PID 456 wrote to memory of 2668	456	5015334c283253e46262ee34b2aa8568.exe	30
PID 456 wrote to memory of 2668	456	5015334c283253e46262ee34b2aa8568.exe	30
PID 456 wrote to memory of 2668	456	5015334c283253e46262ee34b2aa8568.exe	30

C:\Users\Admin\AppData\Local\Temp\5015334c283253e46262ee34b2aa8568.exe
"C:\Users\Admin\AppData\Local\Temp\5015334c283253e46262ee34b2aa8568.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:456
- C:\Program Files\explorer.bat
  "C:\Program Files\explorer.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 292
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\SxDel.bat""
  2⤵
  - Deletes itself
  PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SxDel.bat

Filesize
184B

MD5
5b1659fede02de055857e5fb83a65f14

SHA1
317f55bf2ffb48e7af07a2160e97feff107e5a09

SHA256
b39b8abe505d14dc99f71846c5d7c420b5a707d5111bdadb96c1d07c67298447

SHA512
68131b319e499c365d14582dc21b60b05efd9d4908bc75ead98dec28ac1ccab0fcafc528256eedc66ba9f81a3b218e2194665d8c26034926c4d53667b5b9b721

Download Submit
C:\Program Files\explorer.bat

Filesize
102KB

MD5
62ccd7574780c97f4db62c5adb5e1b7e

SHA1
637ffee2598887d61d6b13f3bf15bfa74d65f359

SHA256
08ce45c681160c4a6ed9efb293920ec4b98b5c55c9440ef0d707ebd747e6c2d2

SHA512
57f97a79d7144fa8cecc90deb0694b84091b804466f1fd1dc6def33af4bda4723c414741ffabc22dc2f5224fdb19434cb0ba9a29ed773e29195ffbff004c0ff4

Download Submit
C:\Program Files\explorer.bat

Filesize
73KB

MD5
640e989f6b9c2d5920ba201111a11990

SHA1
d2e1d03960817538ac542b044f85c714a4e2a5c2

SHA256
ff2d54ea906dff136c03a99085a9e0840e58b6351987324585e0d1b572950b03

SHA512
e88acd098b2549e827b954242e5178c95573be77376e5ad5ffaeb52d385845e35fba5013c59a3c6363e164ff1dbbd5a7494b5e874fe8fee744bc22d8e4f7ffd8

Download Submit
\Program Files\explorer.bat

Filesize
75KB

MD5
024eb9ee40e9d065513edb933fd9e18e

SHA1
b39edad7beb4714fe599a9d986dc5b7eb75f190f

SHA256
f8a55224e7629479511a3b04e5bff0bd80acf861d6440f3492fe1c2b7bc79361

SHA512
dda6295ac826b48f989d3dd93106673c5496c67a3a922810cfd38a866d32a2db62a202be296831edc9c6c63128f439ab836e4ff724575f939e5fc60018d683d5

Download Submit
\Program Files\explorer.bat

Filesize
52KB

MD5
6098cc4854bfc7c87bf6d7cffce1a189

SHA1
b19d43e8d3f63a844621a5324ce3b5ab1db17489

SHA256
60194ebdab8bcd85683d2979facb9310cd55122b62a795170ce418f09318824b

SHA512
9232d486ba3442012721468388fed1ce83a4c4b28797d766feb118909b45baa968fca0e7ff5fb198fbb96636c46701d8e5ba91724eb6f1dbaf1f155d9dfc9908

Download Submit
\Program Files\explorer.bat

Filesize
186KB

MD5
65c382e2c44548345ad4d3dae0fe4faf

SHA1
03992ba06e11d4462e68a2b2999e69b0e8332aeb

SHA256
5bfe16e048b0118ec1ca17d58c5c12f65151a1b92b77929aecfbcc5aa89a6547

SHA512
3e4c2bb9a4756f441c8da6a0b3784c88ff75f13c900d4a51f16c28268d32320e296e3345502ac63719a02b785c634c86ad8d8cc89cfd9e19e94efcc840835806

Download Submit
\Program Files\explorer.bat

Filesize
136KB

MD5
9d13af1b0957d8270e3bfb2b2c7a6875

SHA1
90b086c1328b3b316563deaf511143c6089e11c2

SHA256
ba801068fd6ba458f79c9967aba8c2d4799f0e056cf4d5a7acc162011658d56c

SHA512
c8df6d5be21f7de6636eb5b3f52f928cdca4b2d7bf32902c9eef9376acbaf839b41091957587a8d9f73f98d0559b53f9001f0723de82c6eeb2a04c7b9d46f7b4

Download Submit
memory/456-14-0x0000000002CF0000-0x0000000002E44000-memory.dmp

Filesize
1.3MB

Download
memory/456-12-0x0000000002CF0000-0x0000000002E44000-memory.dmp

Filesize
1.3MB

Download
memory/456-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/456-0-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/456-18-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/456-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/456-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/456-28-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/2788-15-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2788-13-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/2788-20-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing