modiloader | 43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32

Analysis

max time kernel
151s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2022 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
Size

792KB
MD5

9da633ea2a82f9c7605791cd53b370cd
SHA1

b9a0a6d747edfb95ec93de80ef172527f61b5797
SHA256

43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32
SHA512

ddbd5dfbcb7a7241fb223a8d36553c761966cbf55672a3df1eb29fa1dbb8966d82968d5059b2b7659ff20bcfbb0eb984eb62999b33f23a78e6632f1f25de394e

Score

10^/10

modiloader remcos onige123 collection persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

onige123

goodygoody.duckdns.org:1905

154.53.43.207:1905

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
gamingsofts.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
aesjes.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
sijresuestusawar-YZOEW4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
gamingsoft
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1752-639-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/3128-646-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/3128-657-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1752-639-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/2096-643-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/3128-646-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/3128-657-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avbmtavrx = "C:\\Users\\Public\\Libraries\\xrvatmbvA.url"	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

description	pid	process	target process
PID 2408 set thread context of 3128	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 set thread context of 1752	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 set thread context of 2096	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

pid	process
3128	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
3128	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
2096	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
2096	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
3128	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
3128	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

pid	process
2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

description pid process

Token: SeDebugPrivilege 2096 43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

description	pid	process
Token: SeDebugPrivilege	2096	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

description	pid	process	target process
PID 2408 wrote to memory of 3128	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 wrote to memory of 3128	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 wrote to memory of 3128	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 wrote to memory of 1752	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 wrote to memory of 1752	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 wrote to memory of 1752	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 wrote to memory of 2096	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 wrote to memory of 2096	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
PID 2408 wrote to memory of 2096	2408	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe	43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe

C:\Users\Admin\AppData\Local\Temp\43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
"C:\Users\Admin\AppData\Local\Temp\43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
C:\Users\Admin\AppData\Local\Temp\43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe /stext "C:\Users\Admin\AppData\Local\Temp\lecomxwwgrqsa"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3128

C:\Users\Admin\AppData\Local\Temp\43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
C:\Users\Admin\AppData\Local\Temp\43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe /stext "C:\Users\Admin\AppData\Local\Temp\nzhhnpgyuzifkadi"
2⤵
- Accesses Microsoft Outlook accounts
PID:1752

C:\Users\Admin\AppData\Local\Temp\43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe
C:\Users\Admin\AppData\Local\Temp\43e1f1635e1cca717e2d9598e708ded20f6e9236f68ab9d3a28b83e49c71fd32.exe /stext "C:\Users\Admin\AppData\Local\Temp\xbnanirrihajngrmtqo"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lecomxwwgrqsa
Filesize
4KB

MD5
91c39dbd1be7155f37be1828a9cc71ae

SHA1
920fd2ae3cb1a03ca6acdba0e96dff93f26d011b

SHA256
98464758acfa3919b4311caae2b5562dbe9994511a637158db971b57b9344392

SHA512
394889b42b01d2b8ea5e5e32f1f2226f75fd5d78a00edac5f0f33d8252579e7fc370e4da6cb6fd021f4a1a66ba0ac8a0c552ba5b665a4946d901b91a5e11c838

Download Submit
memory/1752-514-0x0000000000455238-mapping.dmp

Download
memory/1752-550-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1752-639-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2096-518-0x0000000000422206-mapping.dmp

Download
memory/2096-553-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2096-643-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2408-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-120-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-118-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-150-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-121-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-151-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-122-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-123-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-124-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-125-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-126-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-127-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-128-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-129-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-130-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-131-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-132-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-133-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-134-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-135-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-138-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-136-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-137-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-139-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-140-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-142-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-144-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-116-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-119-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-152-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-117-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-153-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-154-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-155-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-159-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-162-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-163-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-164-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-166-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-167-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-165-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-168-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-169-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-170-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-171-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-172-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-173-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-174-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-175-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-176-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-177-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-511-0x00000000053C0000-0x0000000005441000-memory.dmp

Filesize
516KB

Download
memory/2408-115-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/2408-512-0x0000000005450000-0x00000000054CE000-memory.dmp

Filesize
504KB

Download
memory/2408-659-0x0000000005450000-0x00000000054CE000-memory.dmp

Filesize
504KB

Download
memory/2408-114-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3128-646-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3128-657-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3128-546-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3128-513-0x0000000000476274-mapping.dmp

Download