modiloader | 1dfec9551e64df9bf78f9a72030e8f4cfc62f494fc6d564d99f5cdcc90578805

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 13:33

Target

777eb6912c3e2aba4051fbd27ab8d77d.exe
Size

152KB
MD5

777eb6912c3e2aba4051fbd27ab8d77d
SHA1

6946fa0a5bbbd88e4c1a4e91dbb296adf74a4f2e
SHA256

1dfec9551e64df9bf78f9a72030e8f4cfc62f494fc6d564d99f5cdcc90578805
SHA512

d2776d8c4aba0fee4abc2ca003f707ce19f0d6482a9b7e538f5b5f1c6e12978cb181b80ef46fbe6cda0c90c143d06382a3cb7b78a082f64f0a67edb89ceaebb3
SSDEEP

1536:MsCqYOQXNCejiv6qZQQAe55DvLPBtJpFHSOuopFWnj7r:UOmNzjifQvenTV3p1SaQP

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/968-0-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral2/files/0x0007000000023232-4.dat	modiloader_stage2
behavioral2/memory/968-14-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral2/memory/3328-17-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3328	wmsj.exe

Loads dropped DLL 2 IoCs

pid	Process
3328	wmsj.exe
3328	wmsj.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\wmsj.exe	777eb6912c3e2aba4051fbd27ab8d77d.exe
File opened for modification	C:\Windows\wmsj.exe	777eb6912c3e2aba4051fbd27ab8d77d.exe
File created	C:\Windows\video.dll	wmsj.exe
File created	C:\Windows\wmsj.exe	wmsj.exe
File created	C:\Windows\video.dll	777eb6912c3e2aba4051fbd27ab8d77d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3328	wmsj.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 3328	968	777eb6912c3e2aba4051fbd27ab8d77d.exe	85
PID 968 wrote to memory of 3328	968	777eb6912c3e2aba4051fbd27ab8d77d.exe	85
PID 968 wrote to memory of 3328	968	777eb6912c3e2aba4051fbd27ab8d77d.exe	85

C:\Windows\video.dll

Filesize
35KB

MD5
0205ae0d092565db3707c574d960d557

SHA1
cc769bf4e8900e473142d9851ad6beddd7ca411d

SHA256
e97fec169e9467cd7f05e53c1c4a2a7c5047054ff6c35d2069174c956b8859d8

SHA512
5e1206a8d7a9fe08d010d0db8832a699ed9064853768a9648bf3c95ba5614984f3b2ad4d5740d0c9cbea52ee55e616b4ee983108cbfd350da00731513ef6bd68

Download Submit
C:\Windows\wmsj.exe

Filesize
152KB

MD5
777eb6912c3e2aba4051fbd27ab8d77d

SHA1
6946fa0a5bbbd88e4c1a4e91dbb296adf74a4f2e

SHA256
1dfec9551e64df9bf78f9a72030e8f4cfc62f494fc6d564d99f5cdcc90578805

SHA512
d2776d8c4aba0fee4abc2ca003f707ce19f0d6482a9b7e538f5b5f1c6e12978cb181b80ef46fbe6cda0c90c143d06382a3cb7b78a082f64f0a67edb89ceaebb3

Download Submit
memory/968-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/968-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3328-11-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/3328-15-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/3328-17-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download