modiloader | 7b2a7157c32407cf51fe037bff2c86b022a3801e29b262f2486687a7958dafa6

General

Target

Swift_Banco_Lacaixa_03985098y709704830000986965069929.cmd
Size

3.0MB
MD5

c6a27d493b2d86fd5e6cb323d79a7cc1
SHA1

0002d64961aa5e85c8c051821ded45c8cbfa6fd0
SHA256

cedb2a15eafab50e46e737ab54f4868f7dc32130b657036e7425122842213f9f
SHA512

ba0f9088eb5ae6cb596b5c16fd64a3d4f9f333b9c510ec3e3a2c16ce5bc8322b8293caea16c81eb7ed056869e2207b159c49a721ee58fbf3e763f8eaad4f6079
SSDEEP

24576:EL49v/AB0iDiIle024r8b92SueW48Wal8iGxwvxA4TeEd6ys/8aOiFzdX:EsVYB1Dle03u92s78WNROezdX

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/548-30-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-32-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-31-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-29-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-28-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-33-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-34-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-36-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-39-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-38-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-44-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-52-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-66-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-91-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-90-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-89-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-87-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-86-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-85-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-83-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-82-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-81-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-80-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-79-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-77-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-76-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-75-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-73-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-72-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-70-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-65-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-88-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-63-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-84-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-60-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-59-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-78-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-74-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-71-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-69-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-68-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-67-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-64-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-48-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-62-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-47-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-61-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-58-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-57-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-46-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-56-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-45-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-55-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-54-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-53-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-51-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-50-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-43-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-49-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-42-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-40-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-41-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-37-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2
behavioral2/memory/548-35-0x0000000002910000-0x0000000003910000-memory.dmp	modiloader_stage2

Executes dropped EXE 8 IoCs

Processes:

alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.exe

pid process

2204 alpha.exe
2060 alpha.exe
3372 kn.exe
4896 alpha.exe
5008 kn.exe
548 Audio.pif
4752 alpha.exe
4980 alpha.exe

pid	process
2204	alpha.exe
2060	alpha.exe
3372	kn.exe
4896	alpha.exe
5008	kn.exe
548	Audio.pif
4752	alpha.exe
4980	alpha.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 1808 wrote to memory of 3308	1808	cmd.exe	extrac32.exe
PID 1808 wrote to memory of 3308	1808	cmd.exe	extrac32.exe
PID 1808 wrote to memory of 2204	1808	cmd.exe	alpha.exe
PID 1808 wrote to memory of 2204	1808	cmd.exe	alpha.exe
PID 2204 wrote to memory of 1780	2204	alpha.exe	extrac32.exe
PID 2204 wrote to memory of 1780	2204	alpha.exe	extrac32.exe
PID 1808 wrote to memory of 2060	1808	cmd.exe	alpha.exe
PID 1808 wrote to memory of 2060	1808	cmd.exe	alpha.exe
PID 2060 wrote to memory of 3372	2060	alpha.exe	kn.exe
PID 2060 wrote to memory of 3372	2060	alpha.exe	kn.exe
PID 1808 wrote to memory of 4896	1808	cmd.exe	alpha.exe
PID 1808 wrote to memory of 4896	1808	cmd.exe	alpha.exe
PID 4896 wrote to memory of 5008	4896	alpha.exe	kn.exe
PID 4896 wrote to memory of 5008	4896	alpha.exe	kn.exe
PID 1808 wrote to memory of 548	1808	cmd.exe	Audio.pif
PID 1808 wrote to memory of 548	1808	cmd.exe	Audio.pif
PID 1808 wrote to memory of 548	1808	cmd.exe	Audio.pif
PID 1808 wrote to memory of 4752	1808	cmd.exe	alpha.exe
PID 1808 wrote to memory of 4752	1808	cmd.exe	alpha.exe
PID 1808 wrote to memory of 4980	1808	cmd.exe	alpha.exe
PID 1808 wrote to memory of 4980	1808	cmd.exe	alpha.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Swift_Banco_Lacaixa_03985098y709704830000986965069929.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:3308

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:1780

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Swift_Banco_Lacaixa_03985098y709704830000986965069929.cmd" "C:\\Users\\Public\\Audio.mp4" 9
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Swift_Banco_Lacaixa_03985098y709704830000986965069929.cmd" "C:\\Users\\Public\\Audio.mp4" 9
3⤵
- Executes dropped EXE
PID:3372

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
3⤵
- Executes dropped EXE
PID:5008

C:\Users\Public\Libraries\Audio.pif
C:\Users\Public\Libraries\Audio.pif
2⤵
- Executes dropped EXE
PID:548

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4752

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Audio.mp4
Filesize
2.1MB

MD5
477f72d9265e3a6f81faaaec24f4d112

SHA1
d1992b3ed3549a4d321cff45a6f0df8ecbf2f884

SHA256
66ddfb6def00a1e199f450c68519adcf92355e6fbc6b6612d98f25010405997c

SHA512
e347c01acc692360f2c9c1b36c084e9a536a4db0214c1d7f027deffa9f383e9b7a92cfaf91cfb5e9ec38fd9f5782a1fe31003dfc85f148d9bd543f1a588589da

Download Submit
C:\Users\Public\Libraries\Audio.pif
Filesize
1.0MB

MD5
b2162fcd0616625d0b11bcc1df6e0f73

SHA1
fe5cf0fd63d931acef1362119f6309411342ee2b

SHA256
fd4e263c7d87abc98d9c38fe5e95638a3ca8c504b6fd6d34359e0e9141928f59

SHA512
fc2e021c01c57e7d84c41110ac38ca7cee1fec7b26ff5c1f53fac75351ca6f0add0ca8a8f42a0ab2f15dfe6b6cf2790f826e10c14f00fae1e6a829daba86aa21

Download Submit
C:\Users\Public\alpha.exe
Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\kn.exe
Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
memory/548-30-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-32-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-31-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-29-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-28-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-33-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-34-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-36-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-39-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-38-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-44-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-52-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-66-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-91-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-90-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-89-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-87-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-86-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-85-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-83-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-82-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-81-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-80-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-79-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-77-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-76-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-75-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-73-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-72-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-70-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-65-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-88-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-63-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-84-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-60-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-59-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-78-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-74-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-71-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-69-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-68-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-67-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-64-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-48-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-62-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-47-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-61-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-58-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-57-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-46-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-56-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-45-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-55-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-54-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-53-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-51-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-50-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-43-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-49-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-42-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-40-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-41-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-37-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download
memory/548-35-0x0000000002910000-0x0000000003910000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads