Overview

overview

10

Static

static

5453834568...f1.rar

windows7-x64

3

5453834568...f1.rar

windows10-2004-x64

3

IDM 6.21 B...ch.exe

windows7-x64

7

IDM 6.21 B...ch.exe

windows10-2004-x64

7

IDM 6.21 B...17.exe

windows7-x64

10

IDM 6.21 B...17.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    54538345681f03dfee0439fe6a48152b0684c049efa1db121c026be37e056af1

  • Size

    6.6MB

  • Sample

    221126-3sddwadf64

  • MD5

    11eb7cbce8b621565f1052f908356515

  • SHA1

    4beb02b6f2b7048743e061913ce1e14f7ce5465d

  • SHA256

    54538345681f03dfee0439fe6a48152b0684c049efa1db121c026be37e056af1

  • SHA512

    535555bb326e88ba0383e597ec94c9b005280de7cc30e09e20a49be4138de2c5b85e1ec9d68e8ebfd4b01374f0d6f9a4d79c580b87791aed84f80b5c9cb61403

  • SSDEEP

    196608:P+qT6nWyisUqqLUBwtTg17mxLOnx568coRo:P1Y/hkUBOTEALOEoRo

Score
10/10
modiloaderxtremeratpersistenceratspywaretrojanupx

Malware Config

Extracted

Family

xtremerat

C2

remotedesktop11.no-ip.info

Targets

    • Target

      54538345681f03dfee0439fe6a48152b0684c049efa1db121c026be37e056af1

    • Size

      6.6MB

    • MD5

      11eb7cbce8b621565f1052f908356515

    • SHA1

      4beb02b6f2b7048743e061913ce1e14f7ce5465d

    • SHA256

      54538345681f03dfee0439fe6a48152b0684c049efa1db121c026be37e056af1

    • SHA512

      535555bb326e88ba0383e597ec94c9b005280de7cc30e09e20a49be4138de2c5b85e1ec9d68e8ebfd4b01374f0d6f9a4d79c580b87791aed84f80b5c9cb61403

    • SSDEEP

      196608:P+qT6nWyisUqqLUBwtTg17mxLOnx568coRo:P1Y/hkUBOTEALOEoRo

    Score
    3/10
    behavioral1behavioral2

    • Target

      IDM 6.21 Build 17/Patch/1.internet.download.manager.v6-patch.exe

    • Size

      201KB

    • MD5

      26c455a7211b88c0dbea04c33f7bd9aa

    • SHA1

      5f4a63563c33d9569c70cc828b97a852008d2c7f

    • SHA256

      af57d588d5b5ef9ac84b51df745f628e5e4bd998ddd4e4a301074e77fd8c632a

    • SHA512

      ea4a8716f1c6779525be01d2104a24e25c327e5606b3e0aa79dcbac2007c98016d2529f3ef66ced10711a0d96453df26f81f2721aebd2f77d2e580fc16524ebd

    • SSDEEP

      3072:hqT1m55Hm9fxaGOyWLVjXEECCE8DHe7YcDoX:h41qkqEcHeZY

    Score
    7/10

    • Loads dropped DLL

    behavioral3behavioral4

    • Target

      IDM 6.21 Build 17/idman621build17.exe

    • Size

      6.3MB

    • MD5

      7f66b63ae030d04a43178df57bb78b1a

    • SHA1

      8605715d8de48241315ec8fcfb91a8380f6776c1

    • SHA256

      b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7

    • SHA512

      4a0590a23c10dd257692e1f4497912935556d4e152fe09ecd1eb2531fba0ee80a079c589068315623ff660c8e5c99871d68a4d48fecfc7ed579081c5e77def46

    • SSDEEP

      98304:A1RaZKOTNyQE17hjs+USipFnLSXF9v8CqLoiLwst/IxZsQU3wDkAaXnmkhD:4aZXTLcVs+upF4Lv8CqSstUKQU1lL5

    Score
    10/10
    modiloaderxtremeratpersistenceratspywaretrojanupx

    • Detect XtremeRAT payload

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • ModiLoader Second Stage

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks