modiloader | 084518f51a8b309a7e3f4ce87c226ccb0b17501fb59da982f7e3ba2513800272

General

Target

5eea4946116a52dac4d073b9ff3b91c5_JaffaCakes118
Size

315KB
Sample

240520-nzne4aaf3t
MD5

5eea4946116a52dac4d073b9ff3b91c5
SHA1

0522a124060cc0f4abd9be779b83e63a897f85c5
SHA256

084518f51a8b309a7e3f4ce87c226ccb0b17501fb59da982f7e3ba2513800272
SHA512

37cd3ed7a202684e0d08b293cc78bfad39c408d0c939d05ddecfad2d289001b5dcac14c953875457b9812069dec8f384bff56fba16fd3f1c99ff5d6ad5290cf0
SSDEEP

6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNda:TsvXlllh8wLp3CkBK

Score

10^/10

Malware Config

Targets

- Target
  
  5eea4946116a52dac4d073b9ff3b91c5_JaffaCakes118
- Size
  
  315KB
- MD5
  
  5eea4946116a52dac4d073b9ff3b91c5
- SHA1
  
  0522a124060cc0f4abd9be779b83e63a897f85c5
- SHA256
  
  084518f51a8b309a7e3f4ce87c226ccb0b17501fb59da982f7e3ba2513800272
- SHA512
  
  37cd3ed7a202684e0d08b293cc78bfad39c408d0c939d05ddecfad2d289001b5dcac14c953875457b9812069dec8f384bff56fba16fd3f1c99ff5d6ad5290cf0
- SSDEEP
  
  6144:T9KOQS4vXll7L1W2L4wC6pilCCHeLnbTermLtyMNda:TsvXlllh8wLp3CkBK
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VirtualBox drivers on disk
  evasion
- ModiLoader Second Stage
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  883eff06ac96966270731e4e22817e11
- SHA1
  
  523c87c98236cbc04430e87ec19b977595092ac8
- SHA256
  
  44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
- SHA512
  
  60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
- SSDEEP
  
  96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u
Score

3^/10
behavioral3 behavioral4
- Target
  
  AnimGif.dll
- Size
  
  87KB
- MD5
  
  aa0883f08dc5c46fe49534b7e2efc56b
- SHA1
  
  3daa11019666650e7983d052691ecca0e868ce36
- SHA256
  
  e9065c1039072792fa57e901415275edd64bdd0a79e0c0d5aa75b653f38f68d3
- SHA512
  
  33722373e4545c32f2521db407a2322f25b61a50db9d5d913e4e9087e9171dbb251807884b1788d1ba0cc7c3460cb927540ad6b55a4a4eb9a063738f028701fb
- SSDEEP
  
  1536:0zchUGlwhpu3R7gl7slcf3B3PjZ4tky9ttQc34EDHAW5dc86wu3duGMGODTrLTsk:STGlwzu3R7wPlQpIELAkvxu3or/r
Score

10^/10

modiloader trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Suspicious use of SetThreadContext
behavioral5 behavioral6