modiloader | ccc7b0f3517d79d288ac631999a691adb8b27769937208bae892e200618c1c47 | Triage

Submit
Reports

Overview

overview

Static

static

SecuriteIn...20.exe

windows7-x64

SecuriteIn...20.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe
Size

1.9MB
Sample

220908-fv8w8saggk
MD5

fe0b2331f5c350d9d88632a25524312b
SHA1

49ca4bef7469acb08af88564166e0e4b6cefd6de
SHA256

ccc7b0f3517d79d288ac631999a691adb8b27769937208bae892e200618c1c47
SHA512

5b2fac870629d2e990cf43c400d21009650f23fcf53be359378aa332d4953512c8ed1940eae4301f360173367f289a8747eacac3e8654a410a9e83ab6d40acf7
SSDEEP

24576:y1+Ys99+4yb/AUsV4le0xmUcIYKeyltyvNKOQ/vX9ajKTyRTFEuHczgV91JbxH+c:yEYsaO4fxmkxCvwOQXsZTFLHcO+hW

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe

Resource

win7-20220812-en

modiloader remcos remotehost persistence rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe

Resource

win10v2004-20220812-en

modiloader remcos remotehost persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

hendersonk1.hopto.org:2404

henderson1.camdvr.org:2404

centplus1.serveftp.com:2404

harrywlike.ddns.net:2404

genekol.nsupdate.info:2404

harrywlike1.ddns.net:2404

hendersonk2022.hopto.org:2404

genekol1.nsupdate.info:2404

generem.camdvr.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sonic.exe
copy_folder
yakkk
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
gsgjdwg-BCCQWA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
fuckuuuuu
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe
- Size
  
  1.9MB
- MD5
  
  fe0b2331f5c350d9d88632a25524312b
- SHA1
  
  49ca4bef7469acb08af88564166e0e4b6cefd6de
- SHA256
  
  ccc7b0f3517d79d288ac631999a691adb8b27769937208bae892e200618c1c47
- SHA512
  
  5b2fac870629d2e990cf43c400d21009650f23fcf53be359378aa332d4953512c8ed1940eae4301f360173367f289a8747eacac3e8654a410a9e83ab6d40acf7
- SSDEEP
  
  24576:y1+Ys99+4yb/AUsV4le0xmUcIYKeyltyvNKOQ/vX9ajKTyRTFEuHczgV91JbxH+c:yEYsaO4fxmkxCvwOQXsZTFLHcO+hW
Score

10^/10

modiloader remcos remotehost persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderremcosremotehostpersistencerattrojan

behavioral2

modiloaderremcosremotehostpersistencerattrojan

© 2018-2025

Terms | Privacy