modiloader | eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5

General

Target

eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
Size

116KB
MD5

31322ba972fd5bbb2a1e8e9532d043ed
SHA1

a14cd91c6e1946ab7c1e9a180a7ef27a5d1c2ca7
SHA256

eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5
SHA512

4f5a2c29cbe5a7cd1fb8b92e10a140b72a171d66e78fd9efdd7db0d67284c6db0d0f9f00a3b6931bc9d4d72869b226a03c1f34f4c3bf7ec8d32623c4d5322309
SSDEEP

1536:JOH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5PxVY:JCKQJcinxphkG5Q6GdpIOkJHhKRfY

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Detects Windows executables referencing non-Windows User-Agents 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5084-48-0x0000000000400000-0x0000000000411000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/5084-45-0x0000000000400000-0x0000000000411000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/5084-54-0x0000000000400000-0x0000000000411000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/5084-42-0x0000000000400000-0x0000000000411000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/5084-55-0x0000000000400000-0x0000000000411000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/5084-57-0x0000000000400000-0x0000000000411000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5084-48-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/5084-45-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/5084-54-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/5084-42-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/5084-55-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/5084-57-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

UPX dump on OEP (original entry point) 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4740-6-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/4740-8-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/4740-11-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/4740-53-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/1716-56-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe

Executes dropped EXE 3 IoCs

Processes:

Flaseher.exeFlaseher.exeFlaseher.exe

pid process

4556 Flaseher.exe
1716 Flaseher.exe
5084 Flaseher.exe

pid	process
4556	Flaseher.exe
1716	Flaseher.exe
5084	Flaseher.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4740-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4740-8-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4740-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4740-53-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1716-56-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exeFlaseher.exe

description	pid	process	target process
PID 4664 set thread context of 4740	4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
PID 4556 set thread context of 1716	4556	Flaseher.exe	Flaseher.exe
PID 4556 set thread context of 5084	4556	Flaseher.exe	Flaseher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Flaseher.exe

description	pid	process
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe
Token: SeDebugPrivilege	1716	Flaseher.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exeeb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exeFlaseher.exeFlaseher.exe

pid	process
4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
4740	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
4556	Flaseher.exe
1716	Flaseher.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exeeb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.execmd.exeFlaseher.exe

description	pid	process	target process
PID 4664 wrote to memory of 4740	4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
PID 4664 wrote to memory of 4740	4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
PID 4664 wrote to memory of 4740	4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
PID 4664 wrote to memory of 4740	4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
PID 4664 wrote to memory of 4740	4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
PID 4664 wrote to memory of 4740	4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
PID 4664 wrote to memory of 4740	4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
PID 4664 wrote to memory of 4740	4664	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
PID 4740 wrote to memory of 1864	4740	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	cmd.exe
PID 4740 wrote to memory of 1864	4740	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	cmd.exe
PID 4740 wrote to memory of 1864	4740	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	cmd.exe
PID 1864 wrote to memory of 1820	1864	cmd.exe	reg.exe
PID 1864 wrote to memory of 1820	1864	cmd.exe	reg.exe
PID 1864 wrote to memory of 1820	1864	cmd.exe	reg.exe
PID 4740 wrote to memory of 4556	4740	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	Flaseher.exe
PID 4740 wrote to memory of 4556	4740	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	Flaseher.exe
PID 4740 wrote to memory of 4556	4740	eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe	Flaseher.exe
PID 4556 wrote to memory of 1716	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 1716	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 1716	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 1716	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 1716	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 1716	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 1716	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 1716	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe
PID 4556 wrote to memory of 5084	4556	Flaseher.exe	Flaseher.exe

C:\Users\Admin\AppData\Local\Temp\eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
"C:\Users\Admin\AppData\Local\Temp\eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe
"C:\Users\Admin\AppData\Local\Temp\eb8690bce983274ebe3847c757dfeb341a47db94a7ff1e35077cf2c212535fb5.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCWAX.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f
4⤵
- Adds Run key to start application
PID:1820

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
4⤵
- Executes dropped EXE
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KCWAX.txt
Filesize
145B

MD5
da0cbe87b720a79b294147ed6a4b98be

SHA1
ebf0dc9efd7a12cb192e355cda87546acb4ab360

SHA256
7ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed

SHA512
f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc

Download Submit
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
Filesize
116KB

MD5
ebaf9e62d8e95914c97231f7dcd237f7

SHA1
4b1889ed0a832042b0c71c4c8b73c31d433d66af

SHA256
09b97bc7c14b66e3e2d48b182f8816be5713b5981df34301a37dc937146babdc

SHA512
262e0c396238a0ad7014f27721cf1116ff587c58874ee086ca781d984a29e00374a4319d99b194000e05bcb5e05b0fe802b8d0d1a872a26ad1e2c2623fc5bab8

Download Submit
memory/1716-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4556-38-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4556-47-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4556-37-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4664-2-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/4664-5-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/4664-4-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/4664-3-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/4664-10-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4740-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4740-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4740-53-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4740-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5084-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5084-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5084-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5084-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5084-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5084-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads