modiloader | 9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe
Size

370KB
MD5

7d504bef99b92dd7b73c0699b5a4f87b
SHA1

871406d918975620f13298e73a183910241ff536
SHA256

9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d
SHA512

f73270a0a97f2c58784862a45a4897b1c2ad76cf1d0f942450f58859131f863cc097f420aac33e3bc282ac8e192dc6b81874a31273ca1796c878f4cf20a9a58a
SSDEEP

6144:JEYZetlt+qb/8BU4/F2k1lxgv3np7CMxeR1I//Umf6Vv0eqmU+TsVsFpx/:zetllE58Orgv3nVnD/UGo9zcs3V

Score

10^/10

modiloader xtremerat persistence rat spyware trojan upx

Malware Config

Extracted

Family

xtremerat

mkidech.dyndns-mail.com

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1008-76-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/1876-79-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/1008-81-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/1876-82-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/1876-83-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/828-74-0x0000000000400000-0x0000000000481000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
1832	ALIMUPG700.exe
564	hedroug.exe
1008	ghadefer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000122f5-66.dat	upx
behavioral1/files/0x00090000000122f5-67.dat	upx
behavioral1/files/0x00090000000122f5-69.dat	upx
behavioral1/memory/1008-76-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1008-81-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1876-82-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1876-83-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe
828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe
828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe
828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe
828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe
828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1832	ALIMUPG700.exe
1832	ALIMUPG700.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1832	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	27
PID 828 wrote to memory of 1832	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	27
PID 828 wrote to memory of 1832	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	27
PID 828 wrote to memory of 1832	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	27
PID 828 wrote to memory of 564	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	28
PID 828 wrote to memory of 564	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	28
PID 828 wrote to memory of 564	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	28
PID 828 wrote to memory of 564	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	28
PID 828 wrote to memory of 1008	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	29
PID 828 wrote to memory of 1008	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	29
PID 828 wrote to memory of 1008	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	29
PID 828 wrote to memory of 1008	828	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	29
PID 1008 wrote to memory of 1876	1008	ghadefer.exe	30
PID 1008 wrote to memory of 1876	1008	ghadefer.exe	30
PID 1008 wrote to memory of 1876	1008	ghadefer.exe	30
PID 1008 wrote to memory of 1876	1008	ghadefer.exe	30
PID 1008 wrote to memory of 1876	1008	ghadefer.exe	30
PID 1008 wrote to memory of 1672	1008	ghadefer.exe	31
PID 1008 wrote to memory of 1672	1008	ghadefer.exe	31
PID 1008 wrote to memory of 1672	1008	ghadefer.exe	31
PID 1008 wrote to memory of 1672	1008	ghadefer.exe	31
PID 1008 wrote to memory of 1672	1008	ghadefer.exe	31

C:\Users\Admin\AppData\Local\Temp\9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe
"C:\Users\Admin\AppData\Local\Temp\9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\ALIMUPG700.exe
  "C:\Users\Admin\AppData\Local\Temp\ALIMUPG700.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\hedroug.exe
  "C:\Users\Admin\AppData\Local\Temp\hedroug.exe"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Users\Admin\AppData\Local\Temp\ghadefer.exe
  "C:\Users\Admin\AppData\Local\Temp\ghadefer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1876
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ALIMUPG700.exe

Filesize
380KB

MD5
a5930d7ae2d9c3b202e06d51be25e03a

SHA1
e5104e5809d379ceb704b46babca410a659b1437

SHA256
fd33251d23d3fa9c78f930eee1532943308a8d8a8840db7214c8f9e110eff5b7

SHA512
b43897e93db896307fa16047120f0ab7148a9745178398b002ce409b64d5c5281cd218e030d081fb8f92cd65dd24c78b3ea7df3619169703eeaccf4610e584bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghadefer.exe

Filesize
33KB

MD5
88d80a622479990ffd6f51206f069ff3

SHA1
a004d23a7d29cbbb4f6c9bb8f0d9cd9174f159cf

SHA256
a16c5545a8e299e04a59f5e6059840005685972fab74424dd43bfcb2051bf8fc

SHA512
344af70145d8ff79e062eb69e8ea10cfdc2db5116c507987fd6438bc4bd146be9675d627d71d1b55cfcedb632eef87795972b8f52b802332df91ef25c0c33789

Download Submit
C:\Users\Admin\AppData\Local\Temp\hedroug.exe

Filesize
8KB

MD5
4510b2277d59503a9864fd24164553a2

SHA1
f34e83d549268cc6d286ce4411a3c1ec33628b5b

SHA256
60b76b2f541d877f0b5eafc8a25d8d5ca070fe76daf24359ab05ce5b340557b4

SHA512
d6e2c02231b29f08925361a91e5fc172af83ec192d389d8f7af91c9fe600f4fdce10a633d170b36a77fdb729b144f7f16ae77372abfefe9a80bb9ef16c433747

Download Submit
C:\Users\Admin\AppData\Local\Temp\hedroug.exe

Filesize
8KB

MD5
4510b2277d59503a9864fd24164553a2

SHA1
f34e83d549268cc6d286ce4411a3c1ec33628b5b

SHA256
60b76b2f541d877f0b5eafc8a25d8d5ca070fe76daf24359ab05ce5b340557b4

SHA512
d6e2c02231b29f08925361a91e5fc172af83ec192d389d8f7af91c9fe600f4fdce10a633d170b36a77fdb729b144f7f16ae77372abfefe9a80bb9ef16c433747

Download Submit
\Users\Admin\AppData\Local\Temp\ALIMUPG700.exe

Filesize
380KB

MD5
a5930d7ae2d9c3b202e06d51be25e03a

SHA1
e5104e5809d379ceb704b46babca410a659b1437

SHA256
fd33251d23d3fa9c78f930eee1532943308a8d8a8840db7214c8f9e110eff5b7

SHA512
b43897e93db896307fa16047120f0ab7148a9745178398b002ce409b64d5c5281cd218e030d081fb8f92cd65dd24c78b3ea7df3619169703eeaccf4610e584bc

Download Submit
\Users\Admin\AppData\Local\Temp\ALIMUPG700.exe

Filesize
380KB

MD5
a5930d7ae2d9c3b202e06d51be25e03a

SHA1
e5104e5809d379ceb704b46babca410a659b1437

SHA256
fd33251d23d3fa9c78f930eee1532943308a8d8a8840db7214c8f9e110eff5b7

SHA512
b43897e93db896307fa16047120f0ab7148a9745178398b002ce409b64d5c5281cd218e030d081fb8f92cd65dd24c78b3ea7df3619169703eeaccf4610e584bc

Download Submit
\Users\Admin\AppData\Local\Temp\ghadefer.exe

Filesize
33KB

MD5
88d80a622479990ffd6f51206f069ff3

SHA1
a004d23a7d29cbbb4f6c9bb8f0d9cd9174f159cf

SHA256
a16c5545a8e299e04a59f5e6059840005685972fab74424dd43bfcb2051bf8fc

SHA512
344af70145d8ff79e062eb69e8ea10cfdc2db5116c507987fd6438bc4bd146be9675d627d71d1b55cfcedb632eef87795972b8f52b802332df91ef25c0c33789

Download Submit
\Users\Admin\AppData\Local\Temp\ghadefer.exe

Filesize
33KB

MD5
88d80a622479990ffd6f51206f069ff3

SHA1
a004d23a7d29cbbb4f6c9bb8f0d9cd9174f159cf

SHA256
a16c5545a8e299e04a59f5e6059840005685972fab74424dd43bfcb2051bf8fc

SHA512
344af70145d8ff79e062eb69e8ea10cfdc2db5116c507987fd6438bc4bd146be9675d627d71d1b55cfcedb632eef87795972b8f52b802332df91ef25c0c33789

Download Submit
\Users\Admin\AppData\Local\Temp\hedroug.exe

Filesize
8KB

MD5
4510b2277d59503a9864fd24164553a2

SHA1
f34e83d549268cc6d286ce4411a3c1ec33628b5b

SHA256
60b76b2f541d877f0b5eafc8a25d8d5ca070fe76daf24359ab05ce5b340557b4

SHA512
d6e2c02231b29f08925361a91e5fc172af83ec192d389d8f7af91c9fe600f4fdce10a633d170b36a77fdb729b144f7f16ae77372abfefe9a80bb9ef16c433747

Download Submit
\Users\Admin\AppData\Local\Temp\hedroug.exe

Filesize
8KB

MD5
4510b2277d59503a9864fd24164553a2

SHA1
f34e83d549268cc6d286ce4411a3c1ec33628b5b

SHA256
60b76b2f541d877f0b5eafc8a25d8d5ca070fe76daf24359ab05ce5b340557b4

SHA512
d6e2c02231b29f08925361a91e5fc172af83ec192d389d8f7af91c9fe600f4fdce10a633d170b36a77fdb729b144f7f16ae77372abfefe9a80bb9ef16c433747

Download Submit
memory/564-63-0x0000000000000000-mapping.dmp

Download
memory/828-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/828-71-0x0000000001E01000-0x0000000001E05000-memory.dmp

Filesize
16KB

Download
memory/828-73-0x0000000002131000-0x0000000002135000-memory.dmp

Filesize
16KB

Download
memory/828-70-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download
memory/828-75-0x0000000001F51000-0x0000000001F55000-memory.dmp

Filesize
16KB

Download
memory/828-74-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/828-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1008-76-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1008-68-0x0000000000000000-mapping.dmp

Download
memory/1008-81-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1832-58-0x0000000000000000-mapping.dmp

Download
memory/1876-77-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1876-79-0x0000000000000000-mapping.dmp

Download
memory/1876-82-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1876-83-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download