modiloader | 7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4

Analysis

max time kernel
158s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2022, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

order confirmation reference no. FXEPS6S08102.exe
Size

891KB
MD5

19877c0de0c846072076447d6e4b539c
SHA1

ed8dbcd877b29427a0e65afca87a961b913b2427
SHA256

7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
SHA512

af2e143f89786bc3bfef86168fc682db667fe7517922e6f3b02d900db929be3e49d212d970be9b393597648e24db0310222a7f8285c995570857b8404ed7ebcb
SSDEEP

12288:ZOoNkC1LR7d1g1Iasz4l4yDoCHjsG83q/rhf7fvQBu5F:ZbpRh1i+4ToT3q/lvku/

Score

10^/10

modiloader remcos yak persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

yak

bestsuccess.ddns.net:2442

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
dfe.dst
keylog_flag
false
keylog_folder
rtrrrrrrrrrrrrrrrr
keylog_path
%Temp%
mouse_option
false
mutex
ssssssssssssssssssssssa-VBDY16
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 63 IoCs

resource	yara_rule
behavioral2/memory/4688-133-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-136-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-137-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-138-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-135-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-140-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-141-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-142-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-143-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-144-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-139-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-145-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-146-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-147-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-148-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-149-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-150-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-151-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-153-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-154-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-155-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-156-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-157-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-158-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-152-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-159-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-160-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-161-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-162-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-163-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-164-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-165-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-167-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-168-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-169-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-166-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-170-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-171-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-172-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-173-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-174-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-175-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-176-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-177-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-178-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-179-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-180-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-181-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-182-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-183-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-184-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-185-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-186-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-187-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-188-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-189-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-190-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-192-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-193-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-191-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-194-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-195-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2
behavioral2/memory/4688-196-0x0000000002A60000-0x0000000002AC4000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nrebwdfk = "C:\\Users\\Public\\Libraries\\kfdwberN.url"	order confirmation reference no. FXEPS6S08102.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4688 set thread context of 4280	4688	order confirmation reference no. FXEPS6S08102.exe	89

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4280	order confirmation reference no. FXEPS6S08102.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 4280	4688	order confirmation reference no. FXEPS6S08102.exe	89
PID 4688 wrote to memory of 4280	4688	order confirmation reference no. FXEPS6S08102.exe	89
PID 4688 wrote to memory of 4280	4688	order confirmation reference no. FXEPS6S08102.exe	89
PID 4688 wrote to memory of 4280	4688	order confirmation reference no. FXEPS6S08102.exe	89

C:\Users\Admin\AppData\Local\Temp\order confirmation reference no. FXEPS6S08102.exe
"C:\Users\Admin\AppData\Local\Temp\order confirmation reference no. FXEPS6S08102.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\order confirmation reference no. FXEPS6S08102.exe
  "C:\Users\Admin\AppData\Local\Temp\order confirmation reference no. FXEPS6S08102.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4280-288-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4280-289-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4688-133-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-136-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-137-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-138-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-135-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-140-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-141-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-142-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-143-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-144-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-139-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-145-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-146-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-147-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-148-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-149-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-150-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-151-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-153-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-154-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-155-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-156-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-157-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-158-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-152-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-159-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-160-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-161-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-162-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-163-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-164-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-165-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-167-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-168-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-169-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-166-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-170-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-171-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-172-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-173-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-174-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-175-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-176-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-177-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-178-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-179-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-180-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-181-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-182-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-183-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-184-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-185-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-186-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-187-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-188-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-189-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-190-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-192-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-193-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-191-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-194-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-195-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download
memory/4688-196-0x0000000002A60000-0x0000000002AC4000-memory.dmp

Filesize
400KB

Download