modiloader | bd3044d198f2ae306261418645298d5aa9ca1a5475911c5f7556384735b86d51

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:22

Target

7514ae16c869ca1fdad24668a7afe6bc.exe
Size

24KB
MD5

7514ae16c869ca1fdad24668a7afe6bc
SHA1

5b0ba3538c2b7d0c21ee7f57212751919b61658b
SHA256

bd3044d198f2ae306261418645298d5aa9ca1a5475911c5f7556384735b86d51
SHA512

8780176de32148c2ba4c80c6f5ed19818a462ae70bc8e69c4b9135318456af9dd360294b06cec2ea336f686d311fa397e8ad2c5384c183def27a15974714204b
SSDEEP

384:i3pJzu/RQ+mLyvXYu5+z0Y3wqahHcgPh6RuIkTTdSk4/MmlFOUlv1Hx+mGXO:KupC2/kzwzPsRun8k4/MmlFOEtS+

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3040-12-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2932-11-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

kulionzx.exe

pid process

3040 kulionzx.exe

pid	process
3040	kulionzx.exe

Drops file in Windows directory 5 IoCs

Processes:

7514ae16c869ca1fdad24668a7afe6bc.exekulionzx.exe

description	ioc	process
File opened for modification	C:\Windows\kulionzx.exe	7514ae16c869ca1fdad24668a7afe6bc.exe
File created	C:\Windows\kulionzx.dll	kulionzx.exe
File created	C:\Windows\kulionzx.exe	kulionzx.exe
File created	C:\Windows\kulionzx.dll	7514ae16c869ca1fdad24668a7afe6bc.exe
File created	C:\Windows\kulionzx.exe	7514ae16c869ca1fdad24668a7afe6bc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7514ae16c869ca1fdad24668a7afe6bc.exe

description	pid	process	target process
PID 2932 wrote to memory of 3040	2932	7514ae16c869ca1fdad24668a7afe6bc.exe	kulionzx.exe
PID 2932 wrote to memory of 3040	2932	7514ae16c869ca1fdad24668a7afe6bc.exe	kulionzx.exe
PID 2932 wrote to memory of 3040	2932	7514ae16c869ca1fdad24668a7afe6bc.exe	kulionzx.exe
PID 2932 wrote to memory of 3040	2932	7514ae16c869ca1fdad24668a7afe6bc.exe	kulionzx.exe

C:\Windows\kulionzx.dll
Filesize
27KB

MD5
ea888177ae32de781a3635b90184dabf

SHA1
6f50e6a3778235f21c28518a0f16613b77b7d277

SHA256
6f370807a395d00021e7d7f1232d59b151713a59cc76a190f97d831fd6cbf9f8

SHA512
630a16d5a67893fcf7341cb5718e547cd2576e156f6860fe7f5bda1aed9a710131cb0b17bd044c938028dfe1a831603d5978019b7667678a86c2e0987808ea1c

Download Submit
C:\Windows\kulionzx.exe
Filesize
24KB

MD5
7514ae16c869ca1fdad24668a7afe6bc

SHA1
5b0ba3538c2b7d0c21ee7f57212751919b61658b

SHA256
bd3044d198f2ae306261418645298d5aa9ca1a5475911c5f7556384735b86d51

SHA512
8780176de32148c2ba4c80c6f5ed19818a462ae70bc8e69c4b9135318456af9dd360294b06cec2ea336f686d311fa397e8ad2c5384c183def27a15974714204b

Download Submit
memory/2932-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2932-7-0x0000000000230000-0x0000000000252000-memory.dmp

Filesize
136KB

Download
memory/2932-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2932-13-0x0000000000230000-0x0000000000252000-memory.dmp

Filesize
136KB

Download
memory/3040-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download