modiloader | 0a049a6f200348e229ebaa13728cd0d19de4839c741d4faec3dd64207860153d

General

Target

c4cd874423d9026b16b370d5fa812471.exe
Size

637KB
MD5

c4cd874423d9026b16b370d5fa812471
SHA1

b1c514708b9611056cce378a8c7d8f2b12e4e8df
SHA256

0a049a6f200348e229ebaa13728cd0d19de4839c741d4faec3dd64207860153d
SHA512

ba5a92674f30bbcb2c4f4552bebb6f226da9ceb5a67d8692d3615353c85a241d9c501732e83b0825f59c6bf272df5cdb66f67136d89fe7f9898b20c018d3f501

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c4cd874423d9026b16b370d5fa812471.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fcizmp = "C:\\Users\\Public\\Libraries\\pmzicF.url"	c4cd874423d9026b16b370d5fa812471.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c4cd874423d9026b16b370d5fa812471.exe

description	pid	process	target process
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe
PID 2436 wrote to memory of 4036	2436	c4cd874423d9026b16b370d5fa812471.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\c4cd874423d9026b16b370d5fa812471.exe
"C:\Users\Admin\AppData\Local\Temp\c4cd874423d9026b16b370d5fa812471.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-114-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2436-116-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/4036-119-0x0000000000000000-mapping.dmp

Download
memory/4036-120-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4036-122-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4036-123-0x0000000010590000-0x000000001060C000-memory.dmp

Filesize
496KB

Download
memory/4036-124-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4036-125-0x0000000000CA0000-0x0000000000DEA000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing