modiloader | 9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d

General

Target

9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe
Size

370KB
MD5

7d504bef99b92dd7b73c0699b5a4f87b
SHA1

871406d918975620f13298e73a183910241ff536
SHA256

9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d
SHA512

f73270a0a97f2c58784862a45a4897b1c2ad76cf1d0f942450f58859131f863cc097f420aac33e3bc282ac8e192dc6b81874a31273ca1796c878f4cf20a9a58a
SSDEEP

6144:JEYZetlt+qb/8BU4/F2k1lxgv3np7CMxeR1I//Umf6Vv0eqmU+TsVsFpx/:zetllE58Orgv3nVnD/UGo9zcs3V

Score

10^/10

modiloader xtremerat persistence rat spyware trojan upx

Malware Config

Extracted

Family

xtremerat

C2

mkidech.dyndns-mail.com

Signatures

Detect XtremeRAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4428-148-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/1996-149-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4428-150-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4376-134-0x0000000000400000-0x0000000000481000-memory.dmp	modiloader_stage2
behavioral2/memory/4376-147-0x0000000000400000-0x0000000000481000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
216	ALIMUPG700.exe
4664	hedroug.exe
1996	ghadefer.exe
2636	hedroug.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022660-143.dat	upx
behavioral2/files/0x0002000000022660-145.dat	upx
behavioral2/memory/1996-149-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4428-150-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3276	2636	WerFault.exe	85
3772	4428	WerFault.exe	87
4976	4428	WerFault.exe	87

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
216	ALIMUPG700.exe
216	ALIMUPG700.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 216	4376	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	83
PID 4376 wrote to memory of 216	4376	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	83
PID 4376 wrote to memory of 216	4376	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	83
PID 4376 wrote to memory of 4664	4376	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	84
PID 4376 wrote to memory of 4664	4376	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	84
PID 4376 wrote to memory of 4664	4376	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	84
PID 4664 wrote to memory of 2636	4664	hedroug.exe	85
PID 4664 wrote to memory of 2636	4664	hedroug.exe	85
PID 4664 wrote to memory of 2636	4664	hedroug.exe	85
PID 4376 wrote to memory of 1996	4376	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	86
PID 4376 wrote to memory of 1996	4376	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	86
PID 4376 wrote to memory of 1996	4376	9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe	86
PID 1996 wrote to memory of 4428	1996	ghadefer.exe	87
PID 1996 wrote to memory of 4428	1996	ghadefer.exe	87
PID 1996 wrote to memory of 4428	1996	ghadefer.exe	87
PID 1996 wrote to memory of 4428	1996	ghadefer.exe	87
PID 1996 wrote to memory of 5092	1996	ghadefer.exe	89
PID 1996 wrote to memory of 5092	1996	ghadefer.exe	89
PID 1996 wrote to memory of 5092	1996	ghadefer.exe	89

C:\Users\Admin\AppData\Local\Temp\9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe
"C:\Users\Admin\AppData\Local\Temp\9567f48916104c53143b44bb1555d0d083b32cbde4475c2c3c55e6dec515c12d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\ALIMUPG700.exe
  "C:\Users\Admin\AppData\Local\Temp\ALIMUPG700.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:216
- C:\Users\Admin\AppData\Local\Temp\hedroug.exe
  "C:\Users\Admin\AppData\Local\Temp\hedroug.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\hedroug.exe
    StubPath
    3⤵
    - Executes dropped EXE
    PID:2636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 460
      4⤵
      Program crash
      PID:3276
- C:\Users\Admin\AppData\Local\Temp\ghadefer.exe
  "C:\Users\Admin\AppData\Local\Temp\ghadefer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 480
      4⤵
      Program crash
      PID:3772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 500
      4⤵
      Program crash
      PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2636 -ip 2636
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4428 -ip 4428
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4428 -ip 4428
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ALIMUPG700.exe

Filesize
380KB

MD5
a5930d7ae2d9c3b202e06d51be25e03a

SHA1
e5104e5809d379ceb704b46babca410a659b1437

SHA256
fd33251d23d3fa9c78f930eee1532943308a8d8a8840db7214c8f9e110eff5b7

SHA512
b43897e93db896307fa16047120f0ab7148a9745178398b002ce409b64d5c5281cd218e030d081fb8f92cd65dd24c78b3ea7df3619169703eeaccf4610e584bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ALIMUPG700.exe

Filesize
380KB

MD5
a5930d7ae2d9c3b202e06d51be25e03a

SHA1
e5104e5809d379ceb704b46babca410a659b1437

SHA256
fd33251d23d3fa9c78f930eee1532943308a8d8a8840db7214c8f9e110eff5b7

SHA512
b43897e93db896307fa16047120f0ab7148a9745178398b002ce409b64d5c5281cd218e030d081fb8f92cd65dd24c78b3ea7df3619169703eeaccf4610e584bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghadefer.exe

Filesize
33KB

MD5
88d80a622479990ffd6f51206f069ff3

SHA1
a004d23a7d29cbbb4f6c9bb8f0d9cd9174f159cf

SHA256
a16c5545a8e299e04a59f5e6059840005685972fab74424dd43bfcb2051bf8fc

SHA512
344af70145d8ff79e062eb69e8ea10cfdc2db5116c507987fd6438bc4bd146be9675d627d71d1b55cfcedb632eef87795972b8f52b802332df91ef25c0c33789

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghadefer.exe

Filesize
33KB

MD5
88d80a622479990ffd6f51206f069ff3

SHA1
a004d23a7d29cbbb4f6c9bb8f0d9cd9174f159cf

SHA256
a16c5545a8e299e04a59f5e6059840005685972fab74424dd43bfcb2051bf8fc

SHA512
344af70145d8ff79e062eb69e8ea10cfdc2db5116c507987fd6438bc4bd146be9675d627d71d1b55cfcedb632eef87795972b8f52b802332df91ef25c0c33789

Download Submit
C:\Users\Admin\AppData\Local\Temp\hedroug.exe

Filesize
8KB

MD5
4510b2277d59503a9864fd24164553a2

SHA1
f34e83d549268cc6d286ce4411a3c1ec33628b5b

SHA256
60b76b2f541d877f0b5eafc8a25d8d5ca070fe76daf24359ab05ce5b340557b4

SHA512
d6e2c02231b29f08925361a91e5fc172af83ec192d389d8f7af91c9fe600f4fdce10a633d170b36a77fdb729b144f7f16ae77372abfefe9a80bb9ef16c433747

Download Submit
C:\Users\Admin\AppData\Local\Temp\hedroug.exe

Filesize
8KB

MD5
4510b2277d59503a9864fd24164553a2

SHA1
f34e83d549268cc6d286ce4411a3c1ec33628b5b

SHA256
60b76b2f541d877f0b5eafc8a25d8d5ca070fe76daf24359ab05ce5b340557b4

SHA512
d6e2c02231b29f08925361a91e5fc172af83ec192d389d8f7af91c9fe600f4fdce10a633d170b36a77fdb729b144f7f16ae77372abfefe9a80bb9ef16c433747

Download Submit
C:\Users\Admin\AppData\Local\Temp\hedroug.exe

Filesize
8KB

MD5
4510b2277d59503a9864fd24164553a2

SHA1
f34e83d549268cc6d286ce4411a3c1ec33628b5b

SHA256
60b76b2f541d877f0b5eafc8a25d8d5ca070fe76daf24359ab05ce5b340557b4

SHA512
d6e2c02231b29f08925361a91e5fc172af83ec192d389d8f7af91c9fe600f4fdce10a633d170b36a77fdb729b144f7f16ae77372abfefe9a80bb9ef16c433747

Download Submit
memory/1996-149-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4376-134-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4376-146-0x0000000000A60000-0x0000000000AAE000-memory.dmp

Filesize
312KB

Download
memory/4376-133-0x0000000000A60000-0x0000000000AAE000-memory.dmp

Filesize
312KB

Download
memory/4376-132-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4376-147-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4428-150-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing