modiloader | 26ac1b09a3ad625ccb25946b2e13437215f7ef80a73281104d2a1be87a17c09a

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Foto2avi.exe
Size

2.7MB
MD5

e4c1623e0298def5ff1b3a13bc50020e
SHA1

371b75b6c102207c5ad2d761689770a23b1ee93b
SHA256

ffb570199f61559a7aa4375c6ca2be87fcb4ececb4617dd275ba54123374c2d5
SHA512

13485f73167aa468c31e2be6f0ed9a1b91c6740f04777f026ab7faef40da5a3cd64057002cd0ed8f14e5fffc8ce0f1c3efc352c8aa8d8b5c1de34eb84d14d4bf
SSDEEP

24576:Tvw9CVXHoo79kQADOFI3wgwVlxOujXso5VLGz2wQ2B/qtTqK90ZpyxK:blYORADuVWERLGs2yTqK90ZpcK

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader First Stage 7 IoCs

Processes:

resource	yara_rule
behavioral23/memory/108-1-0x0000000000400000-0x00000000006B7000-memory.dmp	modiloader_stage1
behavioral23/memory/108-404-0x0000000000400000-0x00000000006B7000-memory.dmp	modiloader_stage1
behavioral23/memory/108-505-0x0000000000400000-0x00000000006B7000-memory.dmp	modiloader_stage1
behavioral23/memory/108-907-0x0000000000400000-0x00000000006B7000-memory.dmp	modiloader_stage1
behavioral23/memory/108-1309-0x0000000000400000-0x00000000006B7000-memory.dmp	modiloader_stage1
behavioral23/memory/108-1712-0x0000000000400000-0x00000000006B7000-memory.dmp	modiloader_stage1
behavioral23/memory/108-2114-0x0000000000400000-0x00000000006B7000-memory.dmp	modiloader_stage1

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Foto2avi.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foto2avi.exe

C:\Users\Admin\AppData\Local\Temp\Foto2avi.exe
"C:\Users\Admin\AppData\Local\Temp\Foto2avi.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GeneralSettings.ini

Filesize
1KB

MD5
4eb6a13cf1a645d485973c8786bbfde0

SHA1
1158794d67a1a8297d6121127d6a1b70917866f3

SHA256
ebaeb692de426bc97535a60f4867dfd43638bd2aece16a274d85df32fd5a1ff4

SHA512
c8926cbf26e18b7fbcbdccf0797d2bf5ee7f22f9e4d9abea3a4553ce33a757a4902d82fc4c771b2fda8ebd5614f313bc03a81caa446b61e16f233025b5991310

Download Submit
memory/108-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/108-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/108-1-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/108-404-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/108-505-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/108-907-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/108-1309-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/108-1712-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/108-2114-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download