modiloader | 67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10-en-20211208
submitted
19-01-2022 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe
Size

256KB
MD5

4c62b642ff4ec34605e3e45ebedf9167
SHA1

fb799c3f0222ae527c8b9a3f8ab4cdb4ef12b02c
SHA256

67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d
SHA512

23b79aeb68a3aacc19dfcfe29b59eb49c5c434498422378ea560be368d7ff795293c94cb5df23b63c185e801a0a15aad3ba397a7a6b4e50097a3ab59590b6a08

Score

10^/10

modiloader smokeloader vidar 1131 backdoor bootkit discovery evasion persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

rc4.i32

Extracted

Family

vidar

Version

49.7

Botnet

1131

https://mastodon.online/@prophef1

https://koyu.space/@prophef2

Attributes

profile_id
1131

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)
suricata
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-186-0x0000000000400000-0x000000000045A000-memory.dmp	modiloader_stage1
behavioral1/memory/1968-188-0x0000000000400000-0x000000000045A000-memory.dmp	modiloader_stage1

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/784-128-0x0000000000400000-0x0000000000794000-memory.dmp	family_vidar
behavioral1/memory/784-130-0x0000000000400000-0x0000000000794000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

53C.exe23A2.exe23A2.exe23A2.exe

pid process

784 53C.exe
364 23A2.exe
1980 23A2.exe
1968 23A2.exe

pid	process
784	53C.exe
364	23A2.exe
1980	23A2.exe
1968	23A2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	53C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	53C.exe

Deletes itself 1 IoCs

Processes:

pid process

3028
Loads dropped DLL 2 IoCs

Processes:

53C.exe

pid process

784 53C.exe
784 53C.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3028

pid	process
784	53C.exe
784	53C.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23A2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\RevoUninstall_2_3_5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Revo\\RevoUninstall_2_3_5.exe\""	23A2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

53C.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 53C.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

23A2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 23A2.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

53C.exe

pid process

784 53C.exe
784 53C.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

23A2.exe

description pid process target process

PID 364 set thread context of 1968 364 23A2.exe 23A2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	53C.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	23A2.exe

pid	process
784	53C.exe
784	53C.exe

description	pid	process	target process
PID 364 set thread context of 1968	364	23A2.exe	23A2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53C.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	53C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	53C.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1312 PING.EXE

pid	process
1312	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe

pid	process
2352	67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe
2352	67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe

pid process

2352 67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe

pid	process
3028

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

23A2.exe

description	pid	process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	364	23A2.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

23A2.execmd.exe

description	pid	process	target process
PID 3028 wrote to memory of 784	3028		53C.exe
PID 3028 wrote to memory of 784	3028		53C.exe
PID 3028 wrote to memory of 784	3028		53C.exe
PID 3028 wrote to memory of 364	3028		23A2.exe
PID 3028 wrote to memory of 364	3028		23A2.exe
PID 3028 wrote to memory of 364	3028		23A2.exe
PID 364 wrote to memory of 2832	364	23A2.exe	cmd.exe
PID 364 wrote to memory of 2832	364	23A2.exe	cmd.exe
PID 364 wrote to memory of 2832	364	23A2.exe	cmd.exe
PID 2832 wrote to memory of 1312	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 1312	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 1312	2832	cmd.exe	PING.EXE
PID 364 wrote to memory of 1980	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1980	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1980	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe
PID 364 wrote to memory of 1968	364	23A2.exe	23A2.exe

C:\Users\Admin\AppData\Local\Temp\67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe
"C:\Users\Admin\AppData\Local\Temp\67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2352

C:\Users\Admin\AppData\Local\Temp\53C.exe
C:\Users\Admin\AppData\Local\Temp\53C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:784

C:\Users\Admin\AppData\Local\Temp\23A2.exe
C:\Users\Admin\AppData\Local\Temp\23A2.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:1312

C:\Users\Admin\AppData\Local\Temp\23A2.exe
C:\Users\Admin\AppData\Local\Temp\23A2.exe
2⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Temp\23A2.exe
C:\Users\Admin\AppData\Local\Temp\23A2.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23A2.exe
MD5
d71eb9926317054c9a8da5b7a8e22ba4

SHA1
5319a4dbdb1ae2662100375559a6247929616f2d

SHA256
07aceec8c3194a7e86f406f2cedfd0b7a765de90f1147c3bb1f58eb97617530e

SHA512
90d8aaff479ac3884607136b95d72f7d51b7b4aa9667fcd621b4890487d87bc3d10ebf13d9bffc2665d7a465a9e186f2c62f4b17a81ea8f84109d74a3d182cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\23A2.exe
MD5
d71eb9926317054c9a8da5b7a8e22ba4

SHA1
5319a4dbdb1ae2662100375559a6247929616f2d

SHA256
07aceec8c3194a7e86f406f2cedfd0b7a765de90f1147c3bb1f58eb97617530e

SHA512
90d8aaff479ac3884607136b95d72f7d51b7b4aa9667fcd621b4890487d87bc3d10ebf13d9bffc2665d7a465a9e186f2c62f4b17a81ea8f84109d74a3d182cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\23A2.exe
MD5
d71eb9926317054c9a8da5b7a8e22ba4

SHA1
5319a4dbdb1ae2662100375559a6247929616f2d

SHA256
07aceec8c3194a7e86f406f2cedfd0b7a765de90f1147c3bb1f58eb97617530e

SHA512
90d8aaff479ac3884607136b95d72f7d51b7b4aa9667fcd621b4890487d87bc3d10ebf13d9bffc2665d7a465a9e186f2c62f4b17a81ea8f84109d74a3d182cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\23A2.exe
MD5
d71eb9926317054c9a8da5b7a8e22ba4

SHA1
5319a4dbdb1ae2662100375559a6247929616f2d

SHA256
07aceec8c3194a7e86f406f2cedfd0b7a765de90f1147c3bb1f58eb97617530e

SHA512
90d8aaff479ac3884607136b95d72f7d51b7b4aa9667fcd621b4890487d87bc3d10ebf13d9bffc2665d7a465a9e186f2c62f4b17a81ea8f84109d74a3d182cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\53C.exe
MD5
b5d3bb71ea746a115af16ec859cb0cbf

SHA1
8a56a6da989c5a1e4bceea554de821387e9e01e7

SHA256
8c8fd0120327d4795bcf8fcf2ce131a480ae41cf200e844bc1eb0185cd2d3741

SHA512
9025428ba9c3c48863a6415603e5e1b157f548fb3e637ee31e21eaa7a0a6c3bd8a535fae2a17ad27ea937ad5e9084ae3d3a8e16f85a49779ce2d66a351ac699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\53C.exe
MD5
b5d3bb71ea746a115af16ec859cb0cbf

SHA1
8a56a6da989c5a1e4bceea554de821387e9e01e7

SHA256
8c8fd0120327d4795bcf8fcf2ce131a480ae41cf200e844bc1eb0185cd2d3741

SHA512
9025428ba9c3c48863a6415603e5e1b157f548fb3e637ee31e21eaa7a0a6c3bd8a535fae2a17ad27ea937ad5e9084ae3d3a8e16f85a49779ce2d66a351ac699e

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/364-183-0x00000000050F0000-0x000000000513C000-memory.dmp

Filesize
304KB

Download
memory/364-180-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/364-140-0x00000000005E0000-0x000000000060E000-memory.dmp

Filesize
184KB

Download
memory/364-181-0x0000000005080000-0x00000000050EC000-memory.dmp

Filesize
432KB

Download
memory/364-182-0x0000000005B80000-0x0000000005BD6000-memory.dmp

Filesize
344KB

Download
memory/364-184-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/784-122-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/784-124-0x00000000023F0000-0x0000000002433000-memory.dmp

Filesize
268KB

Download
memory/784-129-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/784-128-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/784-127-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/784-126-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/784-125-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/784-130-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/784-123-0x0000000076F80000-0x0000000077142000-memory.dmp

Filesize
1.8MB

Download
memory/784-121-0x0000000000400000-0x0000000000794000-memory.dmp

Filesize
3.6MB

Download
memory/1968-186-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1968-188-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2352-115-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/2352-117-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2352-116-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/3028-118-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download