modiloader | 2756869dcb28558efa87f421ed3bcbfe371028ef8dce5a33513fdc299a6aec08 | Triage

Submit
Reports

Overview

overview

Static

static

1

AVSL-00467...21.chm

windows7-x64

8

AVSL-00467...21.chm

windows10-2004-x64

Resubmissions

15-01-2025 16:20

250115-ttetnazjfk 3

15-01-2025 15:00

250115-sdde8awlfy 10

Sharing

General

Target

2756869dcb28558efa87f421ed3bcbfe371028ef8dce5a33513fdc299a6aec08
Size

67KB
Sample

250115-sdde8awlfy
MD5

bc3b706a723c36f2a4cc3e8dc8a171ea
SHA1

687a24de7eb03e0ca1bdbb0453a9fa9c5ee80df1
SHA256

2756869dcb28558efa87f421ed3bcbfe371028ef8dce5a33513fdc299a6aec08
SHA512

e6dac405f8bccba3c9fe6a5b1200445a6f7885c323ef61351f53dab56da6e2b0d7c425c6f0eba5d0fe35e211f8f0f614d30692c52278a6088b0bcbbed6deb070
SSDEEP

1536:5pAI+sLa+cWhou4327/9AbCfkFLStN1ocGQPGYQ+y9j:5GI+Wpbhv79kCMUbK3QDQ+e

Score

10^/10

modiloader defense_evasion discovery execution persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

AVSL-004673321/AVSL-004673321.chm

Resource

win7-20241010-en

defense_evasion discovery execution

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

AVSL-004673321/AVSL-004673321.chm

Resource

win10v2004-20241007-en

modiloader defense_evasion discovery execution persistence trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  AVSL-004673321/AVSL-004673321.chm
- Size
  
  75KB
- MD5
  
  98ea3f95d115f45570febc7a1872b1a7
- SHA1
  
  a0985ee5bba1ed9ea30a4422c4007d35efde92d2
- SHA256
  
  94492a4bfc8998c413bd30023b60427b394e5950eed33373f07faaf863c1d3f3
- SHA512
  
  cbd8258068e3d25a682d9402a68adf5b9f8fba7414545b86af1e801c705dca4c77b5df77696b867cddf20f803f4cb599f472d3e76202df2dd1e75471b15afd86
- SSDEEP
  
  1536:4pVD2VwAO+rou4327/9AbCtkFLStN1osGQPGYQ+yV:uVgbO+rv79kCOUbKnQDQ+C
Score

10^/10

defense_evasion discovery execution modiloader persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- ModiLoader Second Stage
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Window

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

modiloaderdefense_evasiondiscoveryexecutionpersistencetrojan

© 2018-2025

Terms | Privacy