modiloader | 1a37ced4daf6562a2a60c4642d09db7fe6a7b7aa98c995fdbec7706fddc89bdd

Analysis

max time kernel
140s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 20:04

Target

31c9f87e2fce7dc5721278e12c578d94_JaffaCakes118.exe
Size

26KB
MD5

31c9f87e2fce7dc5721278e12c578d94
SHA1

6a5ef4a6d7021806c63fdfeaa156b1363f3f523e
SHA256

1a37ced4daf6562a2a60c4642d09db7fe6a7b7aa98c995fdbec7706fddc89bdd
SHA512

078a7d3ffe545db30f5c64e4578bbeace324da0389fbdb89dd357c42b20a11e07cd36c5947070d151c2df89a00e3796fdc81b04c2f3901d9ca410f657a63ca3d
SSDEEP

384:q3pJzu/RQ+mLyvXYu5+z0Y5JERCdN357FiHDX0yQ+s/FsjDXZc1aDFpkrQOJ:CupC2/kB5i055eXV5s/g72YU

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/5104-14-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/3656-17-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3656	zx.exe

Loads dropped DLL 2 IoCs

pid	Process
3656	zx.exe
3656	zx.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3656	zx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3656	5104	31c9f87e2fce7dc5721278e12c578d94_JaffaCakes118.exe	81
PID 5104 wrote to memory of 3656	5104	31c9f87e2fce7dc5721278e12c578d94_JaffaCakes118.exe	81
PID 5104 wrote to memory of 3656	5104	31c9f87e2fce7dc5721278e12c578d94_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\31c9f87e2fce7dc5721278e12c578d94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31c9f87e2fce7dc5721278e12c578d94_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\RECYCLER\zx.exe
  C:\RECYCLER\zx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3656

C:\RECYCLER\zx.dll

Filesize
33KB

MD5
58bc7ca879efbd9c448b25ae37e63096

SHA1
62d53d392930d8030a363a5fa1dbf6aa22e617e8

SHA256
183eecf29d25c1d2b955af97bf67316a0d8119c2fb6fd92083cbc3c01f799dc1

SHA512
8f229ebd6fffaeffa1dbe9ad67bbad3df6d5783dc8903ec2613d21612f97469a22df79a4f4a9f9679f4e30a025b23108bac70164627dacf1a4d19d63e9ba04c8

Download Submit
C:\RECYCLER\zx.exe

Filesize
26KB

MD5
31c9f87e2fce7dc5721278e12c578d94

SHA1
6a5ef4a6d7021806c63fdfeaa156b1363f3f523e

SHA256
1a37ced4daf6562a2a60c4642d09db7fe6a7b7aa98c995fdbec7706fddc89bdd

SHA512
078a7d3ffe545db30f5c64e4578bbeace324da0389fbdb89dd357c42b20a11e07cd36c5947070d151c2df89a00e3796fdc81b04c2f3901d9ca410f657a63ca3d

Download Submit
memory/3656-11-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/3656-15-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/3656-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5104-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5104-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download