modiloader | ccc7b0f3517d79d288ac631999a691adb8b27769937208bae892e200618c1c47

Analysis

max time kernel
41s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08/09/2022, 05:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe
Size

1.9MB
MD5

fe0b2331f5c350d9d88632a25524312b
SHA1

49ca4bef7469acb08af88564166e0e4b6cefd6de
SHA256

ccc7b0f3517d79d288ac631999a691adb8b27769937208bae892e200618c1c47
SHA512

5b2fac870629d2e990cf43c400d21009650f23fcf53be359378aa332d4953512c8ed1940eae4301f360173367f289a8747eacac3e8654a410a9e83ab6d40acf7
SSDEEP

24576:y1+Ys99+4yb/AUsV4le0xmUcIYKeyltyvNKOQ/vX9ajKTyRTFEuHczgV91JbxH+c:yEYsaO4fxmkxCvwOQXsZTFLHcO+hW

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

hendersonk1.hopto.org:2404

henderson1.camdvr.org:2404

centplus1.serveftp.com:2404

harrywlike.ddns.net:2404

genekol.nsupdate.info:2404

harrywlike1.ddns.net:2404

hendersonk2022.hopto.org:2404

genekol1.nsupdate.info:2404

generem.camdvr.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sonic.exe
copy_folder
yakkk
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
gsgjdwg-BCCQWA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
fuckuuuuu
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 21 IoCs

resource	yara_rule
behavioral1/memory/1884-56-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-59-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-58-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-57-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-60-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-61-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-65-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-64-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-63-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-62-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-68-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-67-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-66-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-69-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-98-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-97-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-96-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-95-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-94-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-93-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-92-0x0000000001F90000-0x0000000001FE1000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
292	easinvoker.exe
1028	easinvoker.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xjrxgjcwe = "C:\\Users\\Public\\Libraries\\ewcjgxrjX.url"	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	iexpress.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuckuuuuu = "\"C:\\Users\\Admin\\AppData\\Roaming\\yakkk\\sonic.exe\""	iexpress.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1292	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1960	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	27
PID 1884 wrote to memory of 1960	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	27
PID 1884 wrote to memory of 1960	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	27
PID 1884 wrote to memory of 1960	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	27
PID 1960 wrote to memory of 1852	1960	cmd.exe	29
PID 1960 wrote to memory of 1852	1960	cmd.exe	29
PID 1960 wrote to memory of 1852	1960	cmd.exe	29
PID 1960 wrote to memory of 1852	1960	cmd.exe	29
PID 1960 wrote to memory of 916	1960	cmd.exe	30
PID 1960 wrote to memory of 916	1960	cmd.exe	30
PID 1960 wrote to memory of 916	1960	cmd.exe	30
PID 1960 wrote to memory of 916	1960	cmd.exe	30
PID 1960 wrote to memory of 1716	1960	cmd.exe	31
PID 1960 wrote to memory of 1716	1960	cmd.exe	31
PID 1960 wrote to memory of 1716	1960	cmd.exe	31
PID 1960 wrote to memory of 1716	1960	cmd.exe	31
PID 1960 wrote to memory of 564	1960	cmd.exe	32
PID 1960 wrote to memory of 564	1960	cmd.exe	32
PID 1960 wrote to memory of 564	1960	cmd.exe	32
PID 1960 wrote to memory of 564	1960	cmd.exe	32
PID 1960 wrote to memory of 1568	1960	cmd.exe	33
PID 1960 wrote to memory of 1568	1960	cmd.exe	33
PID 1960 wrote to memory of 1568	1960	cmd.exe	33
PID 1960 wrote to memory of 1568	1960	cmd.exe	33
PID 1960 wrote to memory of 320	1960	cmd.exe	34
PID 1960 wrote to memory of 320	1960	cmd.exe	34
PID 1960 wrote to memory of 320	1960	cmd.exe	34
PID 1960 wrote to memory of 320	1960	cmd.exe	34
PID 1960 wrote to memory of 1292	1960	cmd.exe	37
PID 1960 wrote to memory of 1292	1960	cmd.exe	37
PID 1960 wrote to memory of 1292	1960	cmd.exe	37
PID 1960 wrote to memory of 1292	1960	cmd.exe	37
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1884 wrote to memory of 1664	1884	SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe	38
PID 1664 wrote to memory of 2032	1664	iexpress.exe	39
PID 1664 wrote to memory of 2032	1664	iexpress.exe	39
PID 1664 wrote to memory of 2032	1664	iexpress.exe	39
PID 1664 wrote to memory of 2032	1664	iexpress.exe	39
PID 2032 wrote to memory of 1832	2032	WScript.exe	40
PID 2032 wrote to memory of 1832	2032	WScript.exe	40
PID 2032 wrote to memory of 1832	2032	WScript.exe	40
PID 2032 wrote to memory of 1832	2032	WScript.exe	40

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Formbook.AA.tr.10720.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Public\Libraries\XjrxgjcweO.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:320
- - C:\Windows \System32\easinvoker.exe
    "C:\Windows \System32\easinvoker.exe"
    3⤵
    - Executes dropped EXE
    PID:292
- - C:\Windows \System32\easinvoker.exe
    "C:\Windows \System32\easinvoker.exe"
    3⤵
    - Executes dropped EXE
    PID:1028
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 6
    3⤵
    - Runs ping.exe
    PID:1292
- C:\Windows\SysWOW64\iexpress.exe
  "C:\Windows\System32\iexpress.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\yakkk\sonic.exe"
      4⤵
      PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
414B

MD5
70c091ce330be09a1a4b6d85e6838b02

SHA1
cb42a4cc53603b18f298e8adcdb4ad95468866c7

SHA256
96a0015a38dc3d553acb454937588a541852fdf1145274e20361e1059cf85741

SHA512
ad2c9f7be58e6d2c0ecf1834b08592216798f009ddc995b4dc882b09cb70dd4c98439835c2bf824ab915abe6033eb7c8b6f25ad604b6718ca1007695010b63a6

Download Submit
C:\Users\Public\Libraries\KDECO.bat

Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\XjrxgjcweO.bat

Filesize
411B

MD5
55aba243e88f6a6813c117ffe1fa5979

SHA1
210b9b028a4b798c837a182321dbf2e50d112816

SHA256
5a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2

SHA512
68009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307

Download Submit
C:\Users\Public\Libraries\easinvoker.exe

Filesize
75KB

MD5
beba5f5a62e1e3a01f1adb028192e475

SHA1
9e22d7a129074e118531bf328e75235fa5135be4

SHA256
d6c7259046e76e147e2d0f40329e0605287c80a51e6417babcd4b5d9998949ce

SHA512
648f10dc7ffbe660c9beab755aabc831299d78afa70bb94fa89cde6dd3a1ceffa567c9509b0045a078d587300034342151e5434fcb8ecbee44c1fe232fe9856b

Download Submit
C:\Users\Public\Libraries\netutils.dll

Filesize
108KB

MD5
0511e36a6408d2197034ca03c7db9b02

SHA1
54cbb647c50076239eedd94aff3c8240eb0c4125

SHA256
35e4a45c3a3f42ef5d340e891e864bafc49e7e869c626bad456290c9cc888303

SHA512
613ba2bef07bd751aad3e21c18b6c02635fea2b02523908b61fc60aa48d8759bb9b138582e8e617555c49d9bead9fa4dfa6263f5f88f8249c89c82f136665e78

Download Submit
C:\Windows \System32\KDECO.bat

Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
75KB

MD5
beba5f5a62e1e3a01f1adb028192e475

SHA1
9e22d7a129074e118531bf328e75235fa5135be4

SHA256
d6c7259046e76e147e2d0f40329e0605287c80a51e6417babcd4b5d9998949ce

SHA512
648f10dc7ffbe660c9beab755aabc831299d78afa70bb94fa89cde6dd3a1ceffa567c9509b0045a078d587300034342151e5434fcb8ecbee44c1fe232fe9856b

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
75KB

MD5
beba5f5a62e1e3a01f1adb028192e475

SHA1
9e22d7a129074e118531bf328e75235fa5135be4

SHA256
d6c7259046e76e147e2d0f40329e0605287c80a51e6417babcd4b5d9998949ce

SHA512
648f10dc7ffbe660c9beab755aabc831299d78afa70bb94fa89cde6dd3a1ceffa567c9509b0045a078d587300034342151e5434fcb8ecbee44c1fe232fe9856b

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
75KB

MD5
beba5f5a62e1e3a01f1adb028192e475

SHA1
9e22d7a129074e118531bf328e75235fa5135be4

SHA256
d6c7259046e76e147e2d0f40329e0605287c80a51e6417babcd4b5d9998949ce

SHA512
648f10dc7ffbe660c9beab755aabc831299d78afa70bb94fa89cde6dd3a1ceffa567c9509b0045a078d587300034342151e5434fcb8ecbee44c1fe232fe9856b

Download Submit
C:\Windows \System32\netutils.dll

Filesize
108KB

MD5
0511e36a6408d2197034ca03c7db9b02

SHA1
54cbb647c50076239eedd94aff3c8240eb0c4125

SHA256
35e4a45c3a3f42ef5d340e891e864bafc49e7e869c626bad456290c9cc888303

SHA512
613ba2bef07bd751aad3e21c18b6c02635fea2b02523908b61fc60aa48d8759bb9b138582e8e617555c49d9bead9fa4dfa6263f5f88f8249c89c82f136665e78

Download Submit
memory/1664-90-0x0000000010590000-0x000000001060D000-memory.dmp

Filesize
500KB

Download
memory/1664-101-0x0000000001E40000-0x0000000001EBA000-memory.dmp

Filesize
488KB

Download
memory/1664-100-0x0000000010590000-0x000000001060D000-memory.dmp

Filesize
500KB

Download
memory/1884-58-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1884-63-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-64-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-65-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-61-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-60-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-57-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-69-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-59-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-68-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-62-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-98-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-97-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-96-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-95-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-94-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-93-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-92-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-67-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-66-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download
memory/1884-56-0x0000000001F90000-0x0000000001FE1000-memory.dmp

Filesize
324KB

Download