modiloader | 21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9

General

Target

SecuriteInfo.com.Trojan7000000f1.31576.exe
Size

859KB
MD5

b25559abb9260a598d98bf66b7725784
SHA1

8dade95ddbd3c29d8d6e5e47ee4c8eb0bbac0e65
SHA256

21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9
SHA512

216f94b2232d13d211f07d4bbf7a3c1cb7093e1a45d176374c567d690fd467705b2caa4e5763f62d2b07afc0189a46e45e882c490d29c05aff8eb713e0d1ca91

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

hendersonk1.hopto.org:2404

henderson1.camdvr.org:2404

centplus1.serveftp.com:2404

harrywlike.ddns.net:2404

genekol.nsupdate.info:2404

harrywlike1.ddns.net:2404

hendersonk2022.hopto.org:2404

genekol1.nsupdate.info:2404

generem.camdvr.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
gsgjdwg-DIO8L7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

53 3220 cmd.exe

flow	pid	process
53	3220	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan7000000f1.31576.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Trojan7000000f1.31576.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan7000000f1.31576.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfjeeqedq = "C:\\Users\\Public\\Libraries\\qdeqeejfV.url"	SecuriteInfo.com.Trojan7000000f1.31576.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeSecuriteInfo.com.Trojan7000000f1.31576.exe

pid process

3988 powershell.exe
3988 powershell.exe
4220 SecuriteInfo.com.Trojan7000000f1.31576.exe
4220 SecuriteInfo.com.Trojan7000000f1.31576.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3988 powershell.exe

pid	process
3988	powershell.exe
3988	powershell.exe
4220	SecuriteInfo.com.Trojan7000000f1.31576.exe
4220	SecuriteInfo.com.Trojan7000000f1.31576.exe

description	pid	process
Token: SeDebugPrivilege	3988	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

SecuriteInfo.com.Trojan7000000f1.31576.execmd.execmd.exenet.exe

description	pid	process	target process
PID 4220 wrote to memory of 856	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 856	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 856	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 856 wrote to memory of 4768	856	cmd.exe	cmd.exe
PID 856 wrote to memory of 4768	856	cmd.exe	cmd.exe
PID 856 wrote to memory of 4768	856	cmd.exe	cmd.exe
PID 4768 wrote to memory of 4680	4768	cmd.exe	net.exe
PID 4768 wrote to memory of 4680	4768	cmd.exe	net.exe
PID 4768 wrote to memory of 4680	4768	cmd.exe	net.exe
PID 4680 wrote to memory of 1060	4680	net.exe	net1.exe
PID 4680 wrote to memory of 1060	4680	net.exe	net1.exe
PID 4680 wrote to memory of 1060	4680	net.exe	net1.exe
PID 4768 wrote to memory of 3988	4768	cmd.exe	powershell.exe
PID 4768 wrote to memory of 3988	4768	cmd.exe	powershell.exe
PID 4768 wrote to memory of 3988	4768	cmd.exe	powershell.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe
PID 4220 wrote to memory of 3220	4220	SecuriteInfo.com.Trojan7000000f1.31576.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan7000000f1.31576.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan7000000f1.31576.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Vfjeeqedqt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\VfjeeqedqO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:1060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k
2⤵
- Blocklisted process makes network request
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\VfjeeqedqO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Vfjeeqedqt.bat
Filesize
58B

MD5
3178f18d44440e060a5ddc9d776f91be

SHA1
af8fe33c2703be22df946f1bcf4f03fa9372deb2

SHA256
b4e94a60e6233eeb1861831fa72daa04bbc0e0ef6b0b46b0115dc2d58f14f981

SHA512
1ff961c24c7df94402d5909a65742e7181b842cedeeff6de2c41ddc396e3c4774eabb4d12fac4e740b9a04b9130f1c36f1155c131bfa9b1c0626efaa46723929

Download Submit
memory/856-139-0x0000000000000000-mapping.dmp

Download
memory/1060-144-0x0000000000000000-mapping.dmp

Download
memory/3220-212-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3220-211-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3220-210-0x0000000050590000-0x000000005060D000-memory.dmp

Filesize
500KB

Download
memory/3220-169-0x0000000000000000-mapping.dmp

Download
memory/3988-153-0x0000000006A50000-0x0000000006A82000-memory.dmp

Filesize
200KB

Download
memory/3988-157-0x00000000076E0000-0x00000000076FA000-memory.dmp

Filesize
104KB

Download
memory/3988-150-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/3988-151-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/3988-152-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/3988-148-0x0000000005680000-0x0000000005CA8000-memory.dmp

Filesize
6.2MB

Download
memory/3988-154-0x000000006F4F0000-0x000000006F53C000-memory.dmp

Filesize
304KB

Download
memory/3988-155-0x0000000006A30000-0x0000000006A4E000-memory.dmp

Filesize
120KB

Download
memory/3988-156-0x0000000007E60000-0x00000000084DA000-memory.dmp

Filesize
6.5MB

Download
memory/3988-149-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/3988-158-0x0000000007820000-0x000000000782A000-memory.dmp

Filesize
40KB

Download
memory/3988-159-0x0000000007A10000-0x0000000007AA6000-memory.dmp

Filesize
600KB

Download
memory/3988-160-0x00000000079D0000-0x00000000079DE000-memory.dmp

Filesize
56KB

Download
memory/3988-161-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

Filesize
104KB

Download
memory/3988-162-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

Filesize
32KB

Download
memory/3988-147-0x0000000005010000-0x0000000005046000-memory.dmp

Filesize
216KB

Download
memory/3988-146-0x0000000000000000-mapping.dmp

Download
memory/4220-171-0x0000000050590000-0x000000005060D000-memory.dmp

Filesize
500KB

Download
memory/4680-143-0x0000000000000000-mapping.dmp

Download
memory/4768-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads