modiloader | 9667031ee31c3492a484e102744829c6e83fec13c37a3a2c95a1679cb6aef59a

General

Target

9ab78b703e248f58de1a797591c6630b.exe
Size

765KB
MD5

9ab78b703e248f58de1a797591c6630b
SHA1

a59946346b8f875cc7ad6c0024db14da8928fa74
SHA256

9667031ee31c3492a484e102744829c6e83fec13c37a3a2c95a1679cb6aef59a
SHA512

c68f78d5f0709da8ff82445d26cf563d8001fae3abe42dc6008bf33aa6ec81386ead83e016321de98d1f9f4ac3ba4e6665fa58e64bc0993a557bb7ef9441dda7
SSDEEP

12288:NtPUekZkx1AEyYmueCkXyShXz2/iINCM3V5TDXTLwc9RdvK:NtnexEyYmufzyo/YcXDXTBHy

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c46-3.dat	modiloader_stage2
behavioral1/memory/1728-18-0x0000000000400000-0x00000000004C8000-memory.dmp	modiloader_stage2
behavioral1/memory/2932-24-0x0000000000400000-0x00000000004C8000-memory.dmp	modiloader_stage2
behavioral1/memory/2364-25-0x0000000000400000-0x00000000004C8000-memory.dmp	modiloader_stage2
behavioral1/memory/2932-37-0x0000000000400000-0x00000000004C8000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2364	rejoiceda.exe

Loads dropped DLL 5 IoCs

pid	Process
2932	9ab78b703e248f58de1a797591c6630b.exe
2932	9ab78b703e248f58de1a797591c6630b.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoiceda.exe	rejoiceda.exe
File opened for modification	C:\Windows\SysWOW64\_rejoiceda.exe	rejoiceda.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 1728	2364	rejoiceda.exe	29

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoiceda.exe	9ab78b703e248f58de1a797591c6630b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoiceda.exe	9ab78b703e248f58de1a797591c6630b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat	9ab78b703e248f58de1a797591c6630b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1808	2364	WerFault.exe	28

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2364	2932	9ab78b703e248f58de1a797591c6630b.exe	28
PID 2932 wrote to memory of 2364	2932	9ab78b703e248f58de1a797591c6630b.exe	28
PID 2932 wrote to memory of 2364	2932	9ab78b703e248f58de1a797591c6630b.exe	28
PID 2932 wrote to memory of 2364	2932	9ab78b703e248f58de1a797591c6630b.exe	28
PID 2364 wrote to memory of 1728	2364	rejoiceda.exe	29
PID 2364 wrote to memory of 1728	2364	rejoiceda.exe	29
PID 2364 wrote to memory of 1728	2364	rejoiceda.exe	29
PID 2364 wrote to memory of 1728	2364	rejoiceda.exe	29
PID 2364 wrote to memory of 1728	2364	rejoiceda.exe	29
PID 2364 wrote to memory of 1728	2364	rejoiceda.exe	29
PID 2364 wrote to memory of 1808	2364	rejoiceda.exe	30
PID 2364 wrote to memory of 1808	2364	rejoiceda.exe	30
PID 2364 wrote to memory of 1808	2364	rejoiceda.exe	30
PID 2364 wrote to memory of 1808	2364	rejoiceda.exe	30
PID 2932 wrote to memory of 2492	2932	9ab78b703e248f58de1a797591c6630b.exe	31
PID 2932 wrote to memory of 2492	2932	9ab78b703e248f58de1a797591c6630b.exe	31
PID 2932 wrote to memory of 2492	2932	9ab78b703e248f58de1a797591c6630b.exe	31
PID 2932 wrote to memory of 2492	2932	9ab78b703e248f58de1a797591c6630b.exe	31

C:\Users\Admin\AppData\Local\Temp\9ab78b703e248f58de1a797591c6630b.exe
"C:\Users\Admin\AppData\Local\Temp\9ab78b703e248f58de1a797591c6630b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoiceda.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoiceda.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
  2⤵
  - Deletes itself
  PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SgotoDel.bat

Filesize
184B

MD5
abfe983036b1ab4bbe2d9f7b4d83b980

SHA1
b821234f3bf623d05e64c967f1be42d767604217

SHA256
dc123e3cdfd21b30eba4f8961aac0ebc54f29ee5f0fc0593d6e69b82df52c08a

SHA512
b38df7eb4b85d978a95f4233a0a826aeab23048f276f07d228472d58997bf399ffd4ced77bcb87a64aac1cfa1a5964dc21d3060c8355cff3d90ac6a791ae8503

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoiceda.exe

Filesize
765KB

MD5
9ab78b703e248f58de1a797591c6630b

SHA1
a59946346b8f875cc7ad6c0024db14da8928fa74

SHA256
9667031ee31c3492a484e102744829c6e83fec13c37a3a2c95a1679cb6aef59a

SHA512
c68f78d5f0709da8ff82445d26cf563d8001fae3abe42dc6008bf33aa6ec81386ead83e016321de98d1f9f4ac3ba4e6665fa58e64bc0993a557bb7ef9441dda7

Download Submit
memory/1728-16-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1728-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1728-18-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2364-13-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2364-25-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2932-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2932-24-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2932-37-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing