modiloader | 15851690d3cb99d95e82bb47d3f31db71688c69dd50b0a8367e97aa3b501b637

General

Target

f41bae930735486a5456bb2ec5b22bd7.exe
Size

700KB
Sample

210913-wp1xfahcfp
MD5

f41bae930735486a5456bb2ec5b22bd7
SHA1

7c05b71120cd703685fe19d5f8969ec73ae340bd
SHA256

15851690d3cb99d95e82bb47d3f31db71688c69dd50b0a8367e97aa3b501b637
SHA512

0ad929cf22f7ebc84580d6967f1c7ad60d9cf8a18ff730d4b996f498bd740af451eedff622887f4c6216cb32e09fafa848eb81f8bb27df6ab589d9e42dc99676

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

NEW-YAK-0817

C2

bustabantu0817.hopto.org:7575

bustabantu0817.duckdns.org:7575

bustabantu0817.ddnsgeek.com:7575

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
sgol.dat
keylog_flag
false
keylog_folder
mygol
keylog_path
%AppData%
mouse_option
false
mutex
bgy-hyt-juj-BISZGM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

remcos

Botnet

NEW-YAK-0817

C2

bustabantu0817.hopto.org:7575

bustabantu0817.duckdns.org:7575

bustabantu0817.ddnsgeek.com:7575

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
sgol.dat
keylog_flag
false
keylog_folder
mygol
keylog_path
%AppData%
mouse_option
false
mutex
bgy-hyt-juj-BISZGM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  f41bae930735486a5456bb2ec5b22bd7.exe
- Size
  
  700KB
- MD5
  
  f41bae930735486a5456bb2ec5b22bd7
- SHA1
  
  7c05b71120cd703685fe19d5f8969ec73ae340bd
- SHA256
  
  15851690d3cb99d95e82bb47d3f31db71688c69dd50b0a8367e97aa3b501b637
- SHA512
  
  0ad929cf22f7ebc84580d6967f1c7ad60d9cf8a18ff730d4b996f498bd740af451eedff622887f4c6216cb32e09fafa848eb81f8bb27df6ab589d9e42dc99676
Score

10^/10

modiloader remcos new-yak-0817 persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

ModiLoader, DBatLoader

Remcos

Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2