modiloader | 5de60bc4035d25ada5af9bd3ce00a6387c11b05158b41ede5830f79691b0cfe5

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 12:20

Target

b4aeb4ac98d6d2d25722157fadec196c.exe
Size

76KB
MD5

b4aeb4ac98d6d2d25722157fadec196c
SHA1

a5a84ef60f8dfa412f6b4d733f68530bf211ae49
SHA256

5de60bc4035d25ada5af9bd3ce00a6387c11b05158b41ede5830f79691b0cfe5
SHA512

ba45d1eccc2b779565e932bccf6e91fca068214fa5eb128817a21d284499028ccc1ab7a29421a2cfe4e29bfe7503fafbfb344f9c1bf5e740189101cce3228e1c
SSDEEP

1536:yRrqdRQVsiz2lW5zoLuTXr1GZYH8yNqeaIbGNW4haB5SIMS2:0Vddzo85GZxy45hac9

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1324-4-0x0000000010000000-0x000000001001A000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1324 set thread context of 1676	1324	b4aeb4ac98d6d2d25722157fadec196c.exe	28

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1676	1324	b4aeb4ac98d6d2d25722157fadec196c.exe	28
PID 1324 wrote to memory of 1676	1324	b4aeb4ac98d6d2d25722157fadec196c.exe	28
PID 1324 wrote to memory of 1676	1324	b4aeb4ac98d6d2d25722157fadec196c.exe	28
PID 1324 wrote to memory of 1676	1324	b4aeb4ac98d6d2d25722157fadec196c.exe	28
PID 1324 wrote to memory of 1676	1324	b4aeb4ac98d6d2d25722157fadec196c.exe	28
PID 1324 wrote to memory of 1676	1324	b4aeb4ac98d6d2d25722157fadec196c.exe	28

C:\Users\Admin\AppData\Local\Temp\b4aeb4ac98d6d2d25722157fadec196c.exe
"C:\Users\Admin\AppData\Local\Temp\b4aeb4ac98d6d2d25722157fadec196c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\b4aeb4ac98d6d2d25722157fadec196c.exe
  C:\Users\Admin\AppData\Local\Temp\b4aeb4ac98d6d2d25722157fadec196c.exe
  2⤵
  PID:1676

memory/1324-4-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/1676-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1676-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download