modiloader | 089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
Size

3.7MB
MD5

c9bf23c58e2ab69577b997189cb27e10
SHA1

2182bf91aa86f67e474b625d042872ca48812e6d
SHA256

089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108d
SHA512

94aa4177ac55f0031f565aa4fb9125b4a4138af2f7e774cd82359f1c45d9ad5fc896e547fbea165b2d454a79e25435fae739920eae5d4504132108f12377b357
SSDEEP

49152:E8R79kus7wpyLelZzrCGWpBBK02J4XpNHYVWTSbZXTQH1dTX3:EMGVfLelZzr/0R5NHDTS9MHjT

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2460-17-0x0000000000400000-0x00000000007E1000-memory.dmp	modiloader_stage2

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe

pid	Process
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe

pid	Process
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
2460	089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe

C:\Users\Admin\AppData\Local\Temp\089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe
"C:\Users\Admin\AppData\Local\Temp\089a94ce8a3525914cfa5722c1a12aabf825e8161129118e8e07e2066e8d108dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NetAnts.ini

Filesize
489B

MD5
c28847ed47963e28c9343f1b953adf4d

SHA1
922c57ef59d72a209151ecf92ffaeb6407b5f68f

SHA256
723f66c91f169ecd7e18cd0e39ef67e5550573bb63bea76931144a08b2175e02

SHA512
4932e26e9f5dd5b90738e1276a6e23e9672e6fd9ed1618b2c297ea401f8ef0d0e9aa8a7d42192efcd271398ec62d1244f018150bd6300aebda061c7d24585c84

Download Submit
memory/2460-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2460-17-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download