modiloader | 6ff59a7a9bb26552d874bf03ffd04b7c152184e443d09f79a4f2459f8a04dd55

General

Target

hesaphareketi-01.cmd
Size

4.3MB
MD5

a4be8d3b4bcc7db0198c4b47d86cce16
SHA1

a18a8390e914debee1172c82e43c784f525009c7
SHA256

6ff59a7a9bb26552d874bf03ffd04b7c152184e443d09f79a4f2459f8a04dd55
SHA512

6cab41c6d7a72e08bb880311d3ec4996fe0cb265b5125e1b7eb451e11914644b2ef18487bacb607bb1eb9cdbb7c3f53bbb3ba403d6e961f9a5aa0cbb61aa12e1
SSDEEP

24576:45Mrv/oEbMykRyeB182egMdyhXTKrXscV/bcsHuurHP0OSRB/KdHQO+j7G/0Rxa8:4KrDQy0P82syhXTdO/Q2BP05idd8dko

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 63 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1344-29-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-32-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-31-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-30-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-28-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-34-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-35-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-36-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-37-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-39-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-40-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-41-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-43-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-45-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-47-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-49-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-52-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-56-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-61-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-69-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-79-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-91-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-90-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-88-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-87-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-86-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-85-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-83-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-82-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-81-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-78-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-77-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-89-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-75-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-74-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-72-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-84-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-71-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-70-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-80-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-68-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-67-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-76-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-66-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-65-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-73-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-64-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-63-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-62-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-60-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-59-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-58-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-57-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-55-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-54-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-53-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-51-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-50-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-48-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-46-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-42-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-44-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral2/memory/1344-38-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2

Executes dropped EXE 8 IoCs

Processes:

alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.exe

pid process

3496 alpha.exe
4048 alpha.exe
1176 kn.exe
1012 alpha.exe
2408 kn.exe
1344 Audio.pif
2216 alpha.exe
4964 alpha.exe

pid	process
3496	alpha.exe
4048	alpha.exe
1176	kn.exe
1012	alpha.exe
2408	kn.exe
1344	Audio.pif
2216	alpha.exe
4964	alpha.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 216 wrote to memory of 4204	216	cmd.exe	extrac32.exe
PID 216 wrote to memory of 4204	216	cmd.exe	extrac32.exe
PID 216 wrote to memory of 3496	216	cmd.exe	alpha.exe
PID 216 wrote to memory of 3496	216	cmd.exe	alpha.exe
PID 3496 wrote to memory of 4340	3496	alpha.exe	extrac32.exe
PID 3496 wrote to memory of 4340	3496	alpha.exe	extrac32.exe
PID 216 wrote to memory of 4048	216	cmd.exe	alpha.exe
PID 216 wrote to memory of 4048	216	cmd.exe	alpha.exe
PID 4048 wrote to memory of 1176	4048	alpha.exe	kn.exe
PID 4048 wrote to memory of 1176	4048	alpha.exe	kn.exe
PID 216 wrote to memory of 1012	216	cmd.exe	alpha.exe
PID 216 wrote to memory of 1012	216	cmd.exe	alpha.exe
PID 1012 wrote to memory of 2408	1012	alpha.exe	kn.exe
PID 1012 wrote to memory of 2408	1012	alpha.exe	kn.exe
PID 216 wrote to memory of 1344	216	cmd.exe	Audio.pif
PID 216 wrote to memory of 1344	216	cmd.exe	Audio.pif
PID 216 wrote to memory of 1344	216	cmd.exe	Audio.pif
PID 216 wrote to memory of 2216	216	cmd.exe	alpha.exe
PID 216 wrote to memory of 2216	216	cmd.exe	alpha.exe
PID 216 wrote to memory of 4964	216	cmd.exe	alpha.exe
PID 216 wrote to memory of 4964	216	cmd.exe	alpha.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:4204

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:4340

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.cmd" "C:\\Users\\Public\\Audio.mp4" 9
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.cmd" "C:\\Users\\Public\\Audio.mp4" 9
3⤵
- Executes dropped EXE
PID:1176

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
3⤵
- Executes dropped EXE
PID:2408

C:\Users\Public\Libraries\Audio.pif
C:\Users\Public\Libraries\Audio.pif
2⤵
- Executes dropped EXE
PID:1344

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2216

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Audio.mp4
Filesize
3.0MB

MD5
2b394a65ee90021cb0990dbdb9ee43bb

SHA1
341e96b53dfb4831dfe1f3334cfb6405df173f52

SHA256
e106349c4b793aac809fd7b11dca2cf1a293fecd584071e9ed0b48cb0bdff857

SHA512
51eae123e69dbf6d040d88f8984b9cdb8de16c0035f05a0c355c3f2d9b372706a7c8e6bf554051842980fb043328350d380c6590ac05cefb0996ddd9a9bd3680

Download Submit
C:\Users\Public\Libraries\Audio.pif
Filesize
1.5MB

MD5
1a7ed7270f975e1aedd73a800e17a40b

SHA1
6a7b00eb876108cbbcbeaef40448ecf34a518d59

SHA256
a6d0ab763d30f720839b50458cf1e4ab601f5574dd6d835aa17488535e89bd3b

SHA512
289ef44a7e171145232f497075596bdba81f53016a8d16935a20069396f91548e5643b1fab2264613f54cb34c12974529ab01fd6e5b3a78708557df2e00781f7

Download Submit
C:\Users\Public\alpha.exe
Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\kn.exe
Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
memory/1344-29-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-32-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-31-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-30-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-28-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-33-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1344-34-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-35-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-36-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-37-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-39-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-40-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-41-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-43-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-45-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-47-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-49-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-52-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-56-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-61-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-69-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-79-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-91-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-90-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-88-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-87-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-86-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-85-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-83-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-82-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-81-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-78-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-77-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-89-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-75-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-74-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-72-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-84-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-71-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-70-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-80-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-68-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-67-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-76-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-66-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-65-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-73-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-64-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-63-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-62-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-60-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-59-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-58-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-57-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-55-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-54-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-53-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-51-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-50-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-48-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-46-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-42-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-44-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/1344-38-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads