modiloader | 3d3b84fce2eb18eaf184889627e9c4edb37daaa1fd28da7fffacf1869b3db93a

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 19:27

Target

PI and payment confirmed pdf.exe
Size

1.7MB
MD5

3d32d7f783925e54c44b19ad8167ae1f
SHA1

52f65cc9aad1b8add5e9716e0aa75a6acf95c5da
SHA256

3d3b84fce2eb18eaf184889627e9c4edb37daaa1fd28da7fffacf1869b3db93a
SHA512

9d647164b3749918afd7bedc9ac92cbe5a9c6222312f02bf547a426ef0194aeef51e6563a7688c391ee215eefffa742b2abab9011e712ddaf4aacfea9b0026bb
SSDEEP

24576:nwHjAU/NotOHNgMF6iKzAnMWZ9pFH749LgIv0dd87/lpvwHsexpJd3kg4eai:nwx/AiKsd7AZv0bmvwv7jmi

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/888-2-0x00000000031B0000-0x00000000041B0000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1412 888 WerFault.exe PI and payment confirmed pdf.exe

pid	pid_target	process	target process
1412	888	WerFault.exe	PI and payment confirmed pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

PI and payment confirmed pdf.exe

description	pid	process	target process
PID 888 wrote to memory of 1412	888	PI and payment confirmed pdf.exe	WerFault.exe
PID 888 wrote to memory of 1412	888	PI and payment confirmed pdf.exe	WerFault.exe
PID 888 wrote to memory of 1412	888	PI and payment confirmed pdf.exe	WerFault.exe
PID 888 wrote to memory of 1412	888	PI and payment confirmed pdf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 676
2⤵
- Program crash
PID:1412

memory/888-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/888-1-0x00000000031B0000-0x00000000041B0000-memory.dmp

Filesize
16.0MB

Download
memory/888-2-0x00000000031B0000-0x00000000041B0000-memory.dmp

Filesize
16.0MB

Download
memory/888-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/888-5-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download