modiloader | 21fe042cd2fd349edaa03e336f0ce9eaae9ba4e66823f4065dc94ad5e3127e88

General

Target

8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
Size

308KB
MD5

8ababd15827227492bd83e9e18f13840
SHA1

5a41dc28870ea063ce02b8c8444afe686e893fd2
SHA256

21fe042cd2fd349edaa03e336f0ce9eaae9ba4e66823f4065dc94ad5e3127e88
SHA512

f2be67808648e28384065769b9fd777e5fc6d18c90755950bfefbf78bbbb2185523da24022da3f836fb5554df456485cc32c224814a8c95073804eb3ac9a608a
SSDEEP

3072:/c3sBG7mXh7m/zZM3jAbNOM6CNtDCZFL:E3sBz0Z4Mj72F

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/7504-147853-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/99872-73923-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/99872-73924-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/99872-73920-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/99872-73925-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/99872-73918-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/99872-83627-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/7504-147840-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/99872-147847-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/31992-147834-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/31992-147852-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/7504-147853-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe

pid process

2020 8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe

pid	process
2020	8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Users\Admin\AppData\Local\Temp\8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8ababd15827227492bd83e9e18f13840_NeikiAnalytics.exe"
2⤵
PID:99872

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSYEF.bat" "
3⤵
PID:100104

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
4⤵
PID:100160

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
3⤵
PID:100184

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
PID:31992

C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
4⤵
PID:7504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OSYEF.bat
Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
Filesize
308KB

MD5
ca864483ffc2e9472b676ffeaad8a421

SHA1
c3016034433f6402d4f23c410fecdfc0c8467a46

SHA256
6b002daa4ac1c17b63267c2459915744d0ab02738fbc3608f194808858ff9ef5

SHA512
1861476d29730da0d4e5409fad27e17997a1a85450a311e7140c55dcd7902bc22198493b3ae38f44e7e71b65aa45952d71322272f5f19501ecb46376cfd782ed

Download Submit
memory/2020-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2020-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/7504-147853-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/7504-147840-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/31992-147852-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/31992-147834-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/99872-73916-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/99872-73918-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/99872-73925-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/99872-83627-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/99872-73920-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/99872-147847-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/99872-73924-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/99872-73922-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/99872-73923-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/100184-73965-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads