modiloader | f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2022 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe
Size

988KB
MD5

6e2d9824eeebad8b1507fa4238892439
SHA1

03a6497741b9697f9234f85644cd35aa5bf0e42e
SHA256

f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f
SHA512

17dbf165300bd6e97c16c1d595a46fa035b0fa3e414e7707ef072404408ae20d48046d59bc651358f45b2de50a9e9adf9e52c4db6df211f2ae037a8b285b23ab

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

bestsuccess.ddns.net:2442

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-HPUD4T
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 60 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5004-155-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-171-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-172-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-173-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-175-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-174-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-176-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-177-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-178-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-179-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-180-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-181-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-182-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-183-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-184-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-185-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-186-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-187-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-188-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-189-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-190-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-191-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-192-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-193-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-194-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-195-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-196-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-197-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-199-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-198-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-200-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-201-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-202-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-203-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-204-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-205-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-207-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-206-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-208-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-209-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-210-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-211-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-212-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-213-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-214-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-219-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-221-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-222-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-217-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-223-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-225-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-226-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-227-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-228-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-229-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-230-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-231-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-232-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-233-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2
behavioral2/memory/5004-234-0x0000000005830000-0x00000000058D8000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Accyaz = "C:\\Users\\Public\\Libraries\\zayccA.url"	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe

description	pid	process	target process
PID 5004 set thread context of 3432	5004	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe

description	pid	process	target process
PID 5004 wrote to memory of 3432	5004	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe
PID 5004 wrote to memory of 3432	5004	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe
PID 5004 wrote to memory of 3432	5004	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe
PID 5004 wrote to memory of 3432	5004	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe
PID 5004 wrote to memory of 3432	5004	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe

C:\Users\Admin\AppData\Local\Temp\f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe
"C:\Users\Admin\AppData\Local\Temp\f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe
"C:\Users\Admin\AppData\Local\Temp\f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f.exe"
2⤵
PID:3432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3432-215-0x0000000000000000-mapping.dmp

Download
memory/3432-216-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3432-218-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3432-220-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3432-224-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3432-246-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5004-197-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-174-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-173-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-175-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-200-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-176-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-177-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-178-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-179-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-180-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-181-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-182-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-183-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-184-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-185-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-186-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-187-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-188-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-189-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-190-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-191-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-192-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-193-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-194-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-195-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-196-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-171-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-199-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-233-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-172-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-201-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-202-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-203-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-204-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-205-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-207-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-206-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-208-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-209-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-210-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-211-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-212-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-213-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-214-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-219-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-221-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-222-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-217-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-223-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-225-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-226-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-227-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-228-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-229-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-230-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-231-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-232-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-198-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-234-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download
memory/5004-155-0x0000000005830000-0x00000000058D8000-memory.dmp

Filesize
672KB

Download