modiloader | e5301b4327f48190ac46285e3f72669948ab296eea2fb812891d42b0133e7dac

General

Target

PO-565362627627.cmd
Size

4.3MB
MD5

8aa8b69f3132a524421cf7fe0911bbd9
SHA1

5ff1ffa9f1309110774dd079a96ea3f66773a081
SHA256

c1ec40707b9212d81d8ec40950e1222c3b5124d07974c56df33706637986f8dd
SHA512

b434ee49f1a8b004c4f521122a551c1f5e433e9c8ca7427e18d4d44cec06298aac5c4572d3802b3184e14db4f998da1d5354935a20e7ffe0721402fbc3a3652d
SSDEEP

24576:45Mrv/oEbMykRyeB182egMdyhXTKrXscV/bcsHuurHP0OSRB/KdHQO+j7G/0Rxaw:4KrDQy0P82syhXTdO/Q2BP05idd8dkE

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 63 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2204-29-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-31-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-32-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-30-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-28-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-34-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-35-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-36-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-38-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-40-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-43-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-46-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-51-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-59-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-70-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-85-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-91-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-90-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-89-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-88-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-87-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-86-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-84-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-83-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-82-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-81-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-79-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-77-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-76-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-73-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-72-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-71-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-69-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-68-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-67-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-80-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-66-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-78-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-65-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-64-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-63-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-75-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-74-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-61-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-62-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-60-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-58-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-57-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-55-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-54-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-53-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-52-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-50-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-49-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-48-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-47-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-45-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-44-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-42-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-41-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-39-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-37-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2
behavioral2/memory/2204-33-0x0000000002970000-0x0000000003970000-memory.dmp	modiloader_stage2

Executes dropped EXE 8 IoCs

Processes:

alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.exe

pid process

4240 alpha.exe
3260 alpha.exe
1912 kn.exe
4528 alpha.exe
4136 kn.exe
2204 Audio.pif
4608 alpha.exe
4116 alpha.exe

pid	process
4240	alpha.exe
3260	alpha.exe
1912	kn.exe
4528	alpha.exe
4136	kn.exe
2204	Audio.pif
4608	alpha.exe
4116	alpha.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
4	drive.google.com
10	drive.google.com
11	drive.google.com
12	drive.google.com
13	drive.google.com
14	drive.google.com
15	drive.google.com
16	drive.google.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2024 wrote to memory of 3508	2024	cmd.exe	extrac32.exe
PID 2024 wrote to memory of 3508	2024	cmd.exe	extrac32.exe
PID 2024 wrote to memory of 4240	2024	cmd.exe	alpha.exe
PID 2024 wrote to memory of 4240	2024	cmd.exe	alpha.exe
PID 4240 wrote to memory of 4588	4240	alpha.exe	extrac32.exe
PID 4240 wrote to memory of 4588	4240	alpha.exe	extrac32.exe
PID 2024 wrote to memory of 3260	2024	cmd.exe	alpha.exe
PID 2024 wrote to memory of 3260	2024	cmd.exe	alpha.exe
PID 3260 wrote to memory of 1912	3260	alpha.exe	kn.exe
PID 3260 wrote to memory of 1912	3260	alpha.exe	kn.exe
PID 2024 wrote to memory of 4528	2024	cmd.exe	alpha.exe
PID 2024 wrote to memory of 4528	2024	cmd.exe	alpha.exe
PID 4528 wrote to memory of 4136	4528	alpha.exe	kn.exe
PID 4528 wrote to memory of 4136	4528	alpha.exe	kn.exe
PID 2024 wrote to memory of 2204	2024	cmd.exe	Audio.pif
PID 2024 wrote to memory of 2204	2024	cmd.exe	Audio.pif
PID 2024 wrote to memory of 2204	2024	cmd.exe	Audio.pif
PID 2024 wrote to memory of 4608	2024	cmd.exe	alpha.exe
PID 2024 wrote to memory of 4608	2024	cmd.exe	alpha.exe
PID 2024 wrote to memory of 4116	2024	cmd.exe	alpha.exe
PID 2024 wrote to memory of 4116	2024	cmd.exe	alpha.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:3508

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:4588

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd" "C:\\Users\\Public\\Audio.mp4" 9
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd" "C:\\Users\\Public\\Audio.mp4" 9
3⤵
- Executes dropped EXE
PID:1912

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
3⤵
- Executes dropped EXE
PID:4136

C:\Users\Public\Libraries\Audio.pif
C:\Users\Public\Libraries\Audio.pif
2⤵
- Executes dropped EXE
PID:2204

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4608

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Audio.mp4
Filesize
3.0MB

MD5
eb6a7f256c8f499acbe890dc5cff775d

SHA1
9a70db1b2ac259c77deff82242f640185324acd0

SHA256
d2ad20db4d124137de977e37722776aa8ea45a544a6be5622c25c192bbd5db22

SHA512
8ead95d487540048c9aca857d4180d4287346dde701285bd9b9f533df89dc54bddc1708e11948802abd8d51d8d9f02235eecba249c65b88d74c036e5c013e67b

Download Submit
C:\Users\Public\Libraries\Audio.pif
Filesize
1.5MB

MD5
dd36e25502ab7c5a82a8cd1b648a4c0a

SHA1
461bf33b6ad324052de5250690e4df597f588224

SHA256
6c311507952d4c2abd1a762d30946f62ae5297c6cb8ac263cf7cdb6918a5a8b8

SHA512
0c4461822675ac0b80bc2a7757297f742a9d36f9d1b96d3433abe057fd717d8274f100d12bb1ed2ddf2a445a7121d1a97a6dbc1d5eed00af1bc83c483669a34d

Download Submit
C:\Users\Public\alpha.exe
Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\kn.exe
Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
memory/2204-29-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-31-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-32-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-30-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-28-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-34-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-35-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-36-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-38-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-40-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-43-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-46-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-51-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-59-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-70-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-85-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-91-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-90-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-89-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-88-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-87-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-86-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-84-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-83-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-82-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-81-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-79-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-77-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-76-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-73-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-72-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-71-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-69-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-68-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-67-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-80-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-66-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-78-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-65-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-64-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-63-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-75-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-74-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-61-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-62-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-60-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-58-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-57-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-55-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-54-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-53-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-52-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-50-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-49-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-56-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2204-48-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-47-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-45-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-44-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-42-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-41-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-39-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-37-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download
memory/2204-33-0x0000000002970000-0x0000000003970000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads