modiloader | 161beb2b60b7ab52e7fef7fadfd369a96ae392d58ba0b3c5b2149bb20a271d0b

General

Target

7e0fe4e13b8d2a480d6fbaff31146e52.exe
Size

208KB
MD5

7e0fe4e13b8d2a480d6fbaff31146e52
SHA1

5ac7f241001bda88ce19192d3c363cd8784efbdf
SHA256

161beb2b60b7ab52e7fef7fadfd369a96ae392d58ba0b3c5b2149bb20a271d0b
SHA512

77bf8f808fe92ee430486776bc185d9adafbcfcb52c1eecf980b5a912821a023becd02371af03279321a221f82156b8dc19b94714d9735cdcebd61931c27090a
SSDEEP

3072:2tgah3UfzCgI8EGnANZFAk195aDl6qvQrlLKjB6OK92tx/MOZG15t3EdwpDi0BeH:2iahkznANTAk15uGotFwbEqD32Hj

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2020-14-0x0000000000400000-0x0000000000434000-memory.dmp	modiloader_stage2
behavioral1/memory/2020-42-0x0000000000400000-0x0000000000434000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1848	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	7e0fe4e13b8d2a480d6fbaff31146e52.exe
2020	7e0fe4e13b8d2a480d6fbaff31146e52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1848	server.exe
1848	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2632	DllHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1848	2020	7e0fe4e13b8d2a480d6fbaff31146e52.exe	28
PID 2020 wrote to memory of 1848	2020	7e0fe4e13b8d2a480d6fbaff31146e52.exe	28
PID 2020 wrote to memory of 1848	2020	7e0fe4e13b8d2a480d6fbaff31146e52.exe	28
PID 2020 wrote to memory of 1848	2020	7e0fe4e13b8d2a480d6fbaff31146e52.exe	28
PID 1848 wrote to memory of 1340	1848	server.exe	7
PID 1848 wrote to memory of 1340	1848	server.exe	7
PID 1848 wrote to memory of 1340	1848	server.exe	7
PID 1848 wrote to memory of 1340	1848	server.exe	7
PID 1848 wrote to memory of 1340	1848	server.exe	7
PID 1848 wrote to memory of 1340	1848	server.exe	7

C:\Users\Admin\AppData\Local\Temp\7e0fe4e13b8d2a480d6fbaff31146e52.exe
"C:\Users\Admin\AppData\Local\Temp\7e0fe4e13b8d2a480d6fbaff31146e52.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1848

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\______16_.jpg

Filesize
36KB

MD5
f4feda35626896a85b8d4a173601977c

SHA1
3c91218fbcfbba0eb07f8030625e0a879de4519f

SHA256
9e861b106d2a90f9894692820cf56274ed1a015b99a7ee65860fec49100e7778

SHA512
01776d5748cd1dc5a14a784c25d65c4e200ce10dda461e44997983707b89568f0d9a2c8699e1ad2ca4f875f241d569cb2790eddbd6cc4d8b1c4607841fce62d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
9533e658b110decbaaaa2a46548505cf

SHA1
7654a137fd0c44cdc43f63c70aa210cc6ab58593

SHA256
b5fef81ee1dfbc2e12295da3c41ad1deab686c745f15141ea66b31626a69139a

SHA512
f7284231e9a5e702e8315a3c89215ece2978f4313d2f110b939fe2d842aff11e6e94206db1d741662fb053dc89899c5e0f741e131ec2408b8f9a4abd791da6e4

Download Submit
memory/1340-36-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1340-27-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1848-32-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1848-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2020-8-0x0000000001F70000-0x0000000001F80000-memory.dmp

Filesize
64KB

Download
memory/2020-29-0x0000000000540000-0x0000000000549000-memory.dmp

Filesize
36KB

Download
memory/2020-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-15-0x0000000077E58000-0x0000000077E59000-memory.dmp

Filesize
4KB

Download
memory/2020-13-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2020-12-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2020-11-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2020-10-0x0000000077E21000-0x0000000077E22000-memory.dmp

Filesize
4KB

Download
memory/2020-9-0x0000000001DC0000-0x0000000001EC0000-memory.dmp

Filesize
1024KB

Download
memory/2020-7-0x0000000077640000-0x0000000077750000-memory.dmp

Filesize
1.1MB

Download
memory/2020-1-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2020-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-6-0x0000000077E1F000-0x0000000077E20000-memory.dmp

Filesize
4KB

Download
memory/2020-25-0x0000000000540000-0x0000000000549000-memory.dmp

Filesize
36KB

Download
memory/2020-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-3-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2020-39-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/2020-5-0x0000000077E20000-0x0000000077E21000-memory.dmp

Filesize
4KB

Download
memory/2020-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-45-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2020-46-0x0000000077640000-0x0000000077750000-memory.dmp

Filesize
1.1MB

Download
memory/2632-47-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2632-40-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2632-55-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing