modiloader | 54538345681f03dfee0439fe6a48152b0684c049efa1db121c026be37e056af1

Analysis

max time kernel
161s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IDM 6.21 Build 17/idman621build17.exe
Size

6.3MB
MD5

7f66b63ae030d04a43178df57bb78b1a
SHA1

8605715d8de48241315ec8fcfb91a8380f6776c1
SHA256

b2939aee96b950ca152f10d4791107be9f71f17f4d42e55183d259f8f7b6a6e7
SHA512

4a0590a23c10dd257692e1f4497912935556d4e152fe09ecd1eb2531fba0ee80a079c589068315623ff660c8e5c99871d68a4d48fecfc7ed579081c5e77def46
SSDEEP

98304:A1RaZKOTNyQE17hjs+USipFnLSXF9v8CqLoiLwst/IxZsQU3wDkAaXnmkhD:4aZXTLcVs+upF4Lv8CqSstUKQU1lL5

Score

10^/10

modiloader xtremerat persistence rat spyware trojan upx

Malware Config

Extracted

Family

xtremerat

remotedesktop11.no-ip.info

Signatures

Detect XtremeRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral5/memory/1700-70-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral5/memory/1956-78-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral5/memory/1700-84-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral5/memory/1956-85-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral5/memory/1956-102-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral5/memory/1808-69-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral5/memory/672-87-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 7 IoCs

Processes:

73180.exe24894.exe64737.exeAdobeART.exe14581.exeIDM1.tmpwinlog.exe

pid process

1808 73180.exe
956 24894.exe
1700 64737.exe
672 AdobeART.exe
976 14581.exe
1168 IDM1.tmp
1580 winlog.exe

pid	process
1808	73180.exe
956	24894.exe
1700	64737.exe
672	AdobeART.exe
976	14581.exe
1168	IDM1.tmp
1580	winlog.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\73180.exe	upx
C:\Users\Admin\AppData\Local\Temp\73180.exe	upx
C:\Users\Admin\AppData\Local\Temp\64737.exe	upx
behavioral5/memory/1808-69-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral5/memory/1700-70-0x0000000010000000-0x000000001004D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\AdobeART.exe	upx
\Users\Admin\AppData\Roaming\AdobeART.exe	upx
C:\Users\Admin\AppData\Roaming\AdobeART.exe	upx
behavioral5/memory/1700-84-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral5/memory/672-87-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral5/memory/1956-85-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral5/memory/1956-102-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

73180.exe14581.exe24894.exe

pid process

1808 73180.exe
1808 73180.exe
976 14581.exe
956 24894.exe
956 24894.exe
956 24894.exe

pid	process
1808	73180.exe
1808	73180.exe
976	14581.exe
956	24894.exe
956	24894.exe
956	24894.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AdobeART.exewinlog.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	AdobeART.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winlog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlog.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlog.exe"	winlog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

idman621build17.exe

description pid process

Token: SeDebugPrivilege 1460 idman621build17.exe

description	pid	process
Token: SeDebugPrivilege	1460	idman621build17.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

idman621build17.exe64737.exe73180.exe14581.exe24894.exe

description	pid	process	target process
PID 1460 wrote to memory of 1808	1460	idman621build17.exe	73180.exe
PID 1460 wrote to memory of 1808	1460	idman621build17.exe	73180.exe
PID 1460 wrote to memory of 1808	1460	idman621build17.exe	73180.exe
PID 1460 wrote to memory of 1808	1460	idman621build17.exe	73180.exe
PID 1460 wrote to memory of 956	1460	idman621build17.exe	24894.exe
PID 1460 wrote to memory of 956	1460	idman621build17.exe	24894.exe
PID 1460 wrote to memory of 956	1460	idman621build17.exe	24894.exe
PID 1460 wrote to memory of 956	1460	idman621build17.exe	24894.exe
PID 1460 wrote to memory of 1700	1460	idman621build17.exe	64737.exe
PID 1460 wrote to memory of 1700	1460	idman621build17.exe	64737.exe
PID 1460 wrote to memory of 1700	1460	idman621build17.exe	64737.exe
PID 1460 wrote to memory of 1700	1460	idman621build17.exe	64737.exe
PID 1700 wrote to memory of 1956	1700	64737.exe	svchost.exe
PID 1700 wrote to memory of 1956	1700	64737.exe	svchost.exe
PID 1700 wrote to memory of 1956	1700	64737.exe	svchost.exe
PID 1700 wrote to memory of 1956	1700	64737.exe	svchost.exe
PID 1808 wrote to memory of 672	1808	73180.exe	AdobeART.exe
PID 1808 wrote to memory of 672	1808	73180.exe	AdobeART.exe
PID 1808 wrote to memory of 672	1808	73180.exe	AdobeART.exe
PID 1808 wrote to memory of 672	1808	73180.exe	AdobeART.exe
PID 1700 wrote to memory of 1956	1700	64737.exe	svchost.exe
PID 1700 wrote to memory of 1180	1700	64737.exe	iexplore.exe
PID 1700 wrote to memory of 1180	1700	64737.exe	iexplore.exe
PID 1700 wrote to memory of 1180	1700	64737.exe	iexplore.exe
PID 1700 wrote to memory of 1180	1700	64737.exe	iexplore.exe
PID 1460 wrote to memory of 976	1460	idman621build17.exe	14581.exe
PID 1460 wrote to memory of 976	1460	idman621build17.exe	14581.exe
PID 1460 wrote to memory of 976	1460	idman621build17.exe	14581.exe
PID 1460 wrote to memory of 976	1460	idman621build17.exe	14581.exe
PID 1460 wrote to memory of 976	1460	idman621build17.exe	14581.exe
PID 1460 wrote to memory of 976	1460	idman621build17.exe	14581.exe
PID 1460 wrote to memory of 976	1460	idman621build17.exe	14581.exe
PID 1700 wrote to memory of 1180	1700	64737.exe	iexplore.exe
PID 976 wrote to memory of 1168	976	14581.exe	IDM1.tmp
PID 976 wrote to memory of 1168	976	14581.exe	IDM1.tmp
PID 976 wrote to memory of 1168	976	14581.exe	IDM1.tmp
PID 976 wrote to memory of 1168	976	14581.exe	IDM1.tmp
PID 976 wrote to memory of 1168	976	14581.exe	IDM1.tmp
PID 976 wrote to memory of 1168	976	14581.exe	IDM1.tmp
PID 976 wrote to memory of 1168	976	14581.exe	IDM1.tmp
PID 956 wrote to memory of 1580	956	24894.exe	winlog.exe
PID 956 wrote to memory of 1580	956	24894.exe	winlog.exe
PID 956 wrote to memory of 1580	956	24894.exe	winlog.exe
PID 956 wrote to memory of 1580	956	24894.exe	winlog.exe

C:\Users\Admin\AppData\Local\Temp\IDM 6.21 Build 17\idman621build17.exe
"C:\Users\Admin\AppData\Local\Temp\IDM 6.21 Build 17\idman621build17.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\73180.exe
"C:\Users\Admin\AppData\Local\Temp\73180.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Roaming\AdobeART.exe
"C:\Users\Admin\AppData\Roaming\AdobeART.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:672

C:\Users\Admin\AppData\Local\Temp\24894.exe
"C:\Users\Admin\AppData\Local\Temp\24894.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1580

C:\Users\Admin\AppData\Local\Temp\64737.exe
"C:\Users\Admin\AppData\Local\Temp\64737.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\14581.exe
"C:\Users\Admin\AppData\Local\Temp\14581.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
3⤵
- Executes dropped EXE
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14581.exe
Filesize
6.1MB

MD5
f24a3484dde51c6495dca7b21450d011

SHA1
641d93056aa4dcdca292dbb571693a27bbafb6ba

SHA256
8fe784aeff05522dce528702866178075daa7f4eb0ea1bb2949702118ae16cc3

SHA512
e168b53dc1d71a08e1ee745869867ecf2b4d66be6b07083180a5648047226491849e6e8a1418c936af0d4943927da7764148d38f5998b06b1d13315f78ebd39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\14581.exe
Filesize
6.1MB

MD5
f24a3484dde51c6495dca7b21450d011

SHA1
641d93056aa4dcdca292dbb571693a27bbafb6ba

SHA256
8fe784aeff05522dce528702866178075daa7f4eb0ea1bb2949702118ae16cc3

SHA512
e168b53dc1d71a08e1ee745869867ecf2b4d66be6b07083180a5648047226491849e6e8a1418c936af0d4943927da7764148d38f5998b06b1d13315f78ebd39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\24894.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\24894.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\64737.exe
Filesize
33KB

MD5
e131dc8199e0dbe6a6eeec0766843ed5

SHA1
0da7ff2a654a45a54fcaa6018faebe05e13c2648

SHA256
243d00f021be7a7f38949e42d0fa15b0878855673857a6489666769c7698f316

SHA512
c75337c0556a2cbcc3eca8923b657c1cb79a12cfd3defce7427a0537f81a901124891677758394a20a5ed9857e2e84a64853ee77e9302b587816bc0071dc7fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\73180.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Local\Temp\73180.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
Filesize
175KB

MD5
95dc303033dc07fe499f50e5fb4dc167

SHA1
99359db6ecf799eaa96aa68657636cee8e3f162c

SHA256
9f71d3d58daa0bd5ad1c47094c609405ac1c58099a2249f24ee2b9c062d60bd9

SHA512
d33186151e825bc6bfa36a700ac40315faa9c35e26b9ab07d25332ab0a06c6d6119de8920bff6bc9b350a1b67c9534e43948ad51249d208ded535143a5462707

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeART.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
\Users\Admin\AppData\Local\Temp\24894.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
Filesize
175KB

MD5
95dc303033dc07fe499f50e5fb4dc167

SHA1
99359db6ecf799eaa96aa68657636cee8e3f162c

SHA256
9f71d3d58daa0bd5ad1c47094c609405ac1c58099a2249f24ee2b9c062d60bd9

SHA512
d33186151e825bc6bfa36a700ac40315faa9c35e26b9ab07d25332ab0a06c6d6119de8920bff6bc9b350a1b67c9534e43948ad51249d208ded535143a5462707

Download Submit
\Users\Admin\AppData\Roaming\AdobeART.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
\Users\Admin\AppData\Roaming\AdobeART.exe
Filesize
18KB

MD5
f30c2e06f7cf7477666464e5b2073edd

SHA1
250ad655475c0fe6c9da849e7ef8717ee204def9

SHA256
a6f315dfc79dbcbd5143240fb10e7e3b43772b791a45f624c64a50591bcca758

SHA512
232ffead37983ef2318121c65519eee565de05d6292bf3ff6f569c9a8ed85d082b7725cdc2ca6ca9193256fdef15fb6ab5172653475c133669c8d453135045df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
Filesize
141KB

MD5
1951f07d6c54d91f4ea2b3f1ff33c8c8

SHA1
0e60cd436e7d5c79c30c8901fa32663b493050d6

SHA256
5a041be295970031524383bdd5a08417bc1e9c95f390d3e77996887fd9350473

SHA512
7c7c34d03c51e8e2f3711d112cd2cd7ebe6627acfb725dad8881064c78b6ea99dd8986fd54398fbd22cac05d422b03f67c8184baaf0c0c8f3cf3dc930e6d0ae0

Download Submit
memory/672-73-0x0000000000000000-mapping.dmp

Download
memory/672-87-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/956-61-0x0000000000000000-mapping.dmp

Download
memory/976-80-0x0000000000000000-mapping.dmp

Download
memory/976-97-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/976-86-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1168-101-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1168-92-0x0000000000000000-mapping.dmp

Download
memory/1460-54-0x000007FEF4760000-0x000007FEF5183000-memory.dmp

Filesize
10.1MB

Download
memory/1460-55-0x000007FEF32F0000-0x000007FEF4386000-memory.dmp

Filesize
16.6MB

Download
memory/1460-83-0x0000000000326000-0x0000000000345000-memory.dmp

Filesize
124KB

Download
memory/1460-57-0x0000000000326000-0x0000000000345000-memory.dmp

Filesize
124KB

Download
memory/1460-56-0x0000000000326000-0x0000000000345000-memory.dmp

Filesize
124KB

Download
memory/1580-94-0x0000000000000000-mapping.dmp

Download
memory/1700-84-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1700-66-0x0000000000000000-mapping.dmp

Download
memory/1700-70-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1808-58-0x0000000000000000-mapping.dmp

Download
memory/1808-60-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1808-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1956-76-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1956-85-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1956-78-0x0000000000000000-mapping.dmp

Download
memory/1956-102-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download