modiloader | Server-[.]bin[.]zip | Triage

Sharing

General

Target

Server-.bin.zip
Size

128KB
MD5

3327d556fe62103dadd2e47a7a7e1ec0
SHA1

59b69c5d5124c267feb98970d18611f1e0c8d1c5
SHA256

438596621e281d55185f8e8326adf85e28f2dca29d65f78196e98b8b755d8ec0
SHA512

c01c7ea507e80c61346d534933975f0d057944b8d27b33969aafb861eef7c451d9bd16676b7f46edda7b4de64587a9f9134f6ef2d800beed3031e01d2fdd2805
SSDEEP

3072:b6RpNWHuOoyghgJHhcWJFjafYmSZBem9jjDatgWAZla:b64H7oyg+n9FjawmIMmotFOU

Score

10^/10

modiloader

Malware Config

Signatures

ModiLoader Second Stage 1 IoCs

resource	yara_rule
static1/unpack001/Server-.bin.exe	modiloader_stage2

Modiloader family
modiloader

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Server-.bin.exe

Files

Server-.bin.zip
.zip

Password: infected
Server-.bin.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 512B - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 3KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 112KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ