modiloader | cc52b8f39a31d7372f7c3d76e386fa20f830b530dec05ce67229e4abf33c92d9 | Triage

Submit
Reports

Overview

overview

Static

static

Order No-2...5.xlsm

windows7_x64

Order No-2...5.xlsm

windows10_x64

Sharing

General

Target

Order No-202000125.xlsm
Size

410KB
Sample

210118-9sr9nactbe
MD5

2c71ebde60e06f76a2ccc831400f24b7
SHA1

7d7294586a74052bce542ba4cd1fb3eeb2ea08a3
SHA256

cc52b8f39a31d7372f7c3d76e386fa20f830b530dec05ce67229e4abf33c92d9
SHA512

ec36d40a564d98c77a198eed1ab1d0fae309e19800fa00a9f50fdfab6b393bca804c71ca97ce2354c47e707a7d0d84429e280ddb4c0a93730c4f953331b31f87

Score

10^/10

modiloader remcos persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Order No-202000125.xlsm

Resource

win7v20201028

modiloader remcos persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Order No-202000125.xlsm

Resource

win10v20201028

modiloader remcos persistence rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://winsfgt.com/php/u.exe

Extracted

Family

remcos

C2

79.134.225.19:2556

Targets

- Target
  
  Order No-202000125.xlsm
- Size
  
  410KB
- MD5
  
  2c71ebde60e06f76a2ccc831400f24b7
- SHA1
  
  7d7294586a74052bce542ba4cd1fb3eeb2ea08a3
- SHA256
  
  cc52b8f39a31d7372f7c3d76e386fa20f830b530dec05ce67229e4abf33c92d9
- SHA512
  
  ec36d40a564d98c77a198eed1ab1d0fae309e19800fa00a9f50fdfab6b393bca804c71ca97ce2354c47e707a7d0d84429e280ddb4c0a93730c4f953331b31f87
Score

10^/10

modiloader remcos persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader First Stage
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderremcospersistencerattrojan

behavioral2

modiloaderremcospersistencerattrojan

© 2018-2024

Terms | Privacy