modiloader | 84f9e8abd4682870a94655c297e283b12de8162454217deb5d56d33603a04b35

General

Target

Document.exe
Size

1.0MB
MD5

2b087560bc75a3f809da01876c3410dd
SHA1

7a81008442ccad66e42cf1a7f1ed4d7a5cc29ee7
SHA256

84f9e8abd4682870a94655c297e283b12de8162454217deb5d56d33603a04b35
SHA512

bbc4cb550a67b1fe15b7d744ea7636c0e89addc1bcacac7915a331f02655ce7a84ae7e881ea4a683a0e4f203946cbb6a98688e5a5238aa4e7effcb896fdaf997

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Extracted

Family

remcos

C2

Bruno.camdvr.org:2404

Bruno1.camdvr.org:2404

Bruno2.camdvr.org:2404

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Document.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Docudx = "C:\\Users\\Public\\Libraries\\xducoD.url"	Document.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ieinstal.exe

pid process

1460 ieinstal.exe

pid	process
1460	ieinstal.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Document.exe

description	pid	process	target process
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe
PID 1100 wrote to memory of 1460	1100	Document.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\Document.exe
"C:\Users\Admin\AppData\Local\Temp\Document.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-59-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1460-60-0x0000000000000000-mapping.dmp

Download
memory/1460-61-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1460-62-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1460-63-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1460-66-0x0000000010590000-0x000000001060C000-memory.dmp

Filesize
496KB

Download
memory/1460-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1460-67-0x0000000000360000-0x00000000003D9000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing