modiloader | 0094a21cdba5b0d2622b2686f64dbcccf090675ae7ae86f21d4063ac1e17ccf9 | Triage

Submit
Reports

Overview

overview

Static

static

6036b574d9...6d.exe

windows7-x64

6036b574d9...6d.exe

windows10-2004-x64

Sharing

General

Target

6036b574d93e0f406160cb2fd5ae636d
Size

943KB
Sample

220802-x6ydbaace3
MD5

6036b574d93e0f406160cb2fd5ae636d
SHA1

bf7a1f488e36139f75e93458fd71f660cf7996e0
SHA256

0094a21cdba5b0d2622b2686f64dbcccf090675ae7ae86f21d4063ac1e17ccf9
SHA512

323fc3b7dc66c3557d4176605702bafd8a38b6a264b2969b2fbabcd9e99cccb5bc8461f67e45362addc13c4efc9f78015314988ac1a94241ed61f87d7dffef52

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

6036b574d93e0f406160cb2fd5ae636d.exe

Resource

win7-20220715-en

modiloader remcos persistence rat trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

6036b574d93e0f406160cb2fd5ae636d.exe

Resource

win10v2004-20220721-en

modiloader remcos remotehost persistence rat trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

onigegegege.duckdns.org:45354

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-N5M2AU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  6036b574d93e0f406160cb2fd5ae636d
- Size
  
  943KB
- MD5
  
  6036b574d93e0f406160cb2fd5ae636d
- SHA1
  
  bf7a1f488e36139f75e93458fd71f660cf7996e0
- SHA256
  
  0094a21cdba5b0d2622b2686f64dbcccf090675ae7ae86f21d4063ac1e17ccf9
- SHA512
  
  323fc3b7dc66c3557d4176605702bafd8a38b6a264b2969b2fbabcd9e99cccb5bc8461f67e45362addc13c4efc9f78015314988ac1a94241ed61f87d7dffef52
Score

10^/10

modiloader remcos persistence rat trojan remotehost
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderremcospersistencerattrojan

behavioral2

modiloaderremcosremotehostpersistencerattrojan

© 2018-2024

Terms | Privacy