modiloader | db5c362b0b4ec0a9bbc7b2c5a186a22019c82c2a96a7c326fad2e1f095de22db

Resubmissions

01/03/2024, 15:31

240301-syf2vahd64 10

20/02/2024, 16:00

240220-tfmmcaba5s 10

Analysis

max time kernel
133s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift 19022024.bat
Size

2.2MB
MD5

6dc5aa35800875f5e06a20da26286f13
SHA1

b9fbf17b8a2aeae452050b2f660ef8cff024a433
SHA256

db5c362b0b4ec0a9bbc7b2c5a186a22019c82c2a96a7c326fad2e1f095de22db
SHA512

a51120e0800a2694ae14267faf667dc5f37be76bf17bcc042931ef8a1f7f8b38237bf12f441ce3eec7eb4aba15428e3ddcbaa2f23a2944b7f8adbe9c9a5649ab
SSDEEP

24576:RLM2LFX2P6Qv1hhxfAswo1eoKHMX+mIi8g1CLbGBi3oucj+9OtOT+a0sloBJCpDo:RYQSv1fxfAsJ1eoVuSDW0YXEx

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2988-5-0x00000000037D0000-0x00000000047D0000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2988	pointer.com

Loads dropped DLL 2 IoCs

pid	Process
2660	WerFault.exe
2660	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	2988	WerFault.exe	32

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2720	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2988	pointer.com

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2676	2904	cmd.exe	29
PID 2904 wrote to memory of 2676	2904	cmd.exe	29
PID 2904 wrote to memory of 2676	2904	cmd.exe	29
PID 2676 wrote to memory of 2716	2676	cmd.exe	30
PID 2676 wrote to memory of 2716	2676	cmd.exe	30
PID 2676 wrote to memory of 2716	2676	cmd.exe	30
PID 2904 wrote to memory of 2720	2904	cmd.exe	31
PID 2904 wrote to memory of 2720	2904	cmd.exe	31
PID 2904 wrote to memory of 2720	2904	cmd.exe	31
PID 2904 wrote to memory of 2988	2904	cmd.exe	32
PID 2904 wrote to memory of 2988	2904	cmd.exe	32
PID 2904 wrote to memory of 2988	2904	cmd.exe	32
PID 2904 wrote to memory of 2988	2904	cmd.exe	32
PID 2988 wrote to memory of 2660	2988	pointer.com	33
PID 2988 wrote to memory of 2660	2988	pointer.com	33
PID 2988 wrote to memory of 2660	2988	pointer.com	33
PID 2988 wrote to memory of 2660	2988	pointer.com	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\system32\cmd.exe
  cmd /c certutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\certutil.exe
    certutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 3
    3⤵
    PID:2716
- C:\Windows\system32\PING.EXE
  PING -n 3 127.0.0.1
  2⤵
  - Runs ping.exe
  PID:2720
- C:\Users\Public\pointer.com
  C:\Users\Public\pointer.com
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 732
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\pointer.com

Filesize
1.3MB

MD5
5e14df714a090c430526a6a3f5ae14a9

SHA1
9d30febbb7666626c8c3a917aeccdda79d39f18a

SHA256
699a27d39fd0baa6dee651adf1995ca6eb168657b41235fd0d2cd74c738a8cac

SHA512
d20540378cf8e76b39beff338de024d9e061a1c84ab5ac2a0033b2b76f5d845234016b35fcdcabb03c049d65f279101a9993a145b369591b4821c880efb70e34

Download Submit
memory/2988-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2988-4-0x00000000037D0000-0x00000000047D0000-memory.dmp

Filesize
16.0MB

Download
memory/2988-5-0x00000000037D0000-0x00000000047D0000-memory.dmp

Filesize
16.0MB

Download
memory/2988-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2988-8-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download