modiloader | 49d34555d259345615d26b6bcd5b80ff42a637c7b08cae98d31261f8a9b22869

Analysis

max time kernel
117s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 19:19

Target

38372d28ba80dc989413496192cfa09c.exe
Size

935KB
MD5

38372d28ba80dc989413496192cfa09c
SHA1

42c198445781e696c069ee7fb4ab166561a54df5
SHA256

49d34555d259345615d26b6bcd5b80ff42a637c7b08cae98d31261f8a9b22869
SHA512

05c5ddadfd526c44959a969ebb15658f200e08389c17f17813b1401559ed4191c1061054b3d248f9afd7328e56587594c2ac1604dd515f04a11329698b4af574
SSDEEP

24576:3Z1d9fhJlY2sZruyEcE3CHcXH+wWqMQx3KPi1agN7:3bd42oZEcGX+zqMo311aM7

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/memory/2560-1-0x0000000010000000-0x00000000100EF15C-memory.dmp	modiloader_stage2
behavioral1/memory/2560-6-0x0000000010000000-0x00000000100EF15C-memory.dmp	modiloader_stage2
behavioral1/memory/2580-10-0x00000000005F0000-0x00000000006DA000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-11-0x0000000000400000-0x00000000004E7000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-14-0x0000000000400000-0x00000000004E7000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2560 set thread context of 2580	2560	38372d28ba80dc989413496192cfa09c.exe	29

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2580	2560	38372d28ba80dc989413496192cfa09c.exe	29
PID 2560 wrote to memory of 2580	2560	38372d28ba80dc989413496192cfa09c.exe	29
PID 2560 wrote to memory of 2580	2560	38372d28ba80dc989413496192cfa09c.exe	29
PID 2560 wrote to memory of 2580	2560	38372d28ba80dc989413496192cfa09c.exe	29
PID 2560 wrote to memory of 2580	2560	38372d28ba80dc989413496192cfa09c.exe	29
PID 2560 wrote to memory of 2580	2560	38372d28ba80dc989413496192cfa09c.exe	29

C:\Users\Admin\AppData\Local\Temp\38372d28ba80dc989413496192cfa09c.exe
"C:\Users\Admin\AppData\Local\Temp\38372d28ba80dc989413496192cfa09c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\38372d28ba80dc989413496192cfa09c.exe
  C:\Users\Admin\AppData\Local\Temp\38372d28ba80dc989413496192cfa09c.exe
  2⤵
  PID:2580

memory/2560-3-0x0000000001EA0000-0x0000000001F90000-memory.dmp

Filesize
960KB

Download
memory/2560-1-0x0000000010000000-0x00000000100EF15C-memory.dmp

Filesize
956KB

Download
memory/2560-6-0x0000000010000000-0x00000000100EF15C-memory.dmp

Filesize
956KB

Download
memory/2580-8-0x0000000010000000-0x00000000100EF15C-memory.dmp

Filesize
956KB

Download
memory/2580-5-0x00000000005F0000-0x00000000006DA000-memory.dmp

Filesize
936KB

Download
memory/2580-0-0x00000000005F0000-0x00000000006DA000-memory.dmp

Filesize
936KB

Download
memory/2580-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-9-0x00000000005F0000-0x00000000006DA000-memory.dmp

Filesize
936KB

Download
memory/2580-10-0x00000000005F0000-0x00000000006DA000-memory.dmp

Filesize
936KB

Download
memory/2580-12-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2580-11-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2580-14-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2580-15-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download