modiloader | 1fc078aab853bc4972b2e74e1f04879cd246668bdf120d210fd51a029c021c1c

General

Target

In allegato il nuovo elenco ordini.exe
Size

967KB
Sample

220919-kmwddschbm
MD5

af23007b78a02d5d5ad429880a505c9c
SHA1

fe82317e4682b0d23b457f26c2a3f6493e37a530
SHA256

1fc078aab853bc4972b2e74e1f04879cd246668bdf120d210fd51a029c021c1c
SHA512

849bdfc8e433cf07d75555895dc9eb6f766dc21f15e8d784a04e976723d05b8bb041e833553feb2e1f869ef9018dc489eb8e7e9d9d3d1929bea65d903c3db1a7
SSDEEP

12288:8HbINWvoTEQYJGl/iUfkcogKuqAJA+1z48qDo5ynuzFl2LUv0eMqnexYA1l/X:6b6ZeGBiAkcogKOi+1zSo5ynRxYA7/X

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

newehmpage.webredirect.org:5564

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
java1.exe
copy_folder
java1
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%SystemDrive%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
java1-3C0HZ3
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
java1
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  In allegato il nuovo elenco ordini.exe
- Size
  
  967KB
- MD5
  
  af23007b78a02d5d5ad429880a505c9c
- SHA1
  
  fe82317e4682b0d23b457f26c2a3f6493e37a530
- SHA256
  
  1fc078aab853bc4972b2e74e1f04879cd246668bdf120d210fd51a029c021c1c
- SHA512
  
  849bdfc8e433cf07d75555895dc9eb6f766dc21f15e8d784a04e976723d05b8bb041e833553feb2e1f869ef9018dc489eb8e7e9d9d3d1929bea65d903c3db1a7
- SSDEEP
  
  12288:8HbINWvoTEQYJGl/iUfkcogKuqAJA+1z48qDo5ynuzFl2LUv0eMqnexYA1l/X:6b6ZeGBiAkcogKOi+1zSo5ynRxYA7/X
Score

10^/10

modiloader trojan remcos remotehost persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

Remcos

ModiLoader Second Stage

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2