modiloader | 241ce6c7eb13647b6e501b953335b8f3404beeac796bdb1e2d8015d7b7f0472c

Analysis

max time kernel
155s
max time network
183s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-10-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

urge.ps1
Size

1.1MB
MD5

40dba6112a28e876168dc0f65a4d1f3c
SHA1

bd020b4fb2d2ee12182f50440a236ae03ce400a7
SHA256

241ce6c7eb13647b6e501b953335b8f3404beeac796bdb1e2d8015d7b7f0472c
SHA512

b2d74443fb01c539443b1869aa1189bc888e299bdd1607fbee51960a0aef38a59f7c6982091947a61e2440dcab6e4efec233c5ce416241c8a6872867fd39db8f
SSDEEP

24576:j6jfWwIDR/sTgA6M3VbSLbbRjdOcsgIrq8UBIYu6mW:mjfW6g3cVbE4nv+NVu6mW

Score

10^/10

modiloader remcos strong persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

STRONG

hurricane.ydns.eu:1972

official.ydns.eu:1972

Officialsw.chickenkiller.com:1972

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
tughvahyehkgjvkji-A7VCFQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 58 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1656-64-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-66-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-71-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-72-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-80-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-84-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-87-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-90-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-91-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-89-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-92-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-88-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-93-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-101-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-104-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-107-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-108-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-109-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-110-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-113-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-112-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-111-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-106-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-105-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-103-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-102-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-100-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-99-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-98-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-97-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-96-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-95-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-94-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-86-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-85-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-83-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-82-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-81-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-79-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-78-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-77-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-76-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-75-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-74-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-73-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-70-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-69-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-68-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-67-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-119-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-122-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-121-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-120-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-118-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-117-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-116-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-115-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-114-0x0000000000270000-0x000000000029A000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

mspaint.exemspaint.exe

pid process

1656 mspaint.exe
976 mspaint.exe
Loads dropped DLL 1 IoCs

Processes:

mspaint.exe

pid process

1656 mspaint.exe

pid	process
1656	mspaint.exe
976	mspaint.exe

pid	process
1656	mspaint.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mspaint.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Enfxsbvx = "C:\\Users\\Public\\Libraries\\xvbsxfnE.url"	mspaint.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mspaint.exe

description pid process target process

PID 1656 set thread context of 976 1656 mspaint.exe mspaint.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

864 powershell.exe
864 powershell.exe
864 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 864 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

mspaint.exe

pid process

976 mspaint.exe

description	pid	process	target process
PID 1656 set thread context of 976	1656	mspaint.exe	mspaint.exe

pid	process
864	powershell.exe
864	powershell.exe
864	powershell.exe

description	pid	process
Token: SeDebugPrivilege	864	powershell.exe

pid	process
976	mspaint.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

powershell.exemspaint.exe

description	pid	process	target process
PID 864 wrote to memory of 1656	864	powershell.exe	mspaint.exe
PID 864 wrote to memory of 1656	864	powershell.exe	mspaint.exe
PID 864 wrote to memory of 1656	864	powershell.exe	mspaint.exe
PID 864 wrote to memory of 1656	864	powershell.exe	mspaint.exe
PID 1656 wrote to memory of 976	1656	mspaint.exe	mspaint.exe
PID 1656 wrote to memory of 976	1656	mspaint.exe	mspaint.exe
PID 1656 wrote to memory of 976	1656	mspaint.exe	mspaint.exe
PID 1656 wrote to memory of 976	1656	mspaint.exe	mspaint.exe
PID 1656 wrote to memory of 976	1656	mspaint.exe	mspaint.exe
PID 1656 wrote to memory of 976	1656	mspaint.exe	mspaint.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\urge.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\mspaint.exe
"C:\Users\Admin\AppData\Local\Temp\mspaint.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\mspaint.exe
"C:\Users\Admin\AppData\Local\Temp\mspaint.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mspaint.exe
Filesize
854KB

MD5
777c23ee9da2f80efde77bcb5236ba13

SHA1
411971a8464e6b1e134947a360869840c8262692

SHA256
e3c9bc7c86bc1a728aaa3d5fc9d1ca2dd808529932f7b7129effa46168a25f7b

SHA512
0cede2fafaadb998bbc66975742a3f1f4926bf6da0dbce9c91523f2e8328ccd3257fd412ba9292552c190da272345e16920899eae15c045c5475d7748f347bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspaint.exe
Filesize
854KB

MD5
777c23ee9da2f80efde77bcb5236ba13

SHA1
411971a8464e6b1e134947a360869840c8262692

SHA256
e3c9bc7c86bc1a728aaa3d5fc9d1ca2dd808529932f7b7129effa46168a25f7b

SHA512
0cede2fafaadb998bbc66975742a3f1f4926bf6da0dbce9c91523f2e8328ccd3257fd412ba9292552c190da272345e16920899eae15c045c5475d7748f347bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspaint.exe
Filesize
854KB

MD5
777c23ee9da2f80efde77bcb5236ba13

SHA1
411971a8464e6b1e134947a360869840c8262692

SHA256
e3c9bc7c86bc1a728aaa3d5fc9d1ca2dd808529932f7b7129effa46168a25f7b

SHA512
0cede2fafaadb998bbc66975742a3f1f4926bf6da0dbce9c91523f2e8328ccd3257fd412ba9292552c190da272345e16920899eae15c045c5475d7748f347bcc

Download Submit
\Users\Admin\AppData\Local\Temp\mspaint.exe
Filesize
854KB

MD5
777c23ee9da2f80efde77bcb5236ba13

SHA1
411971a8464e6b1e134947a360869840c8262692

SHA256
e3c9bc7c86bc1a728aaa3d5fc9d1ca2dd808529932f7b7129effa46168a25f7b

SHA512
0cede2fafaadb998bbc66975742a3f1f4926bf6da0dbce9c91523f2e8328ccd3257fd412ba9292552c190da272345e16920899eae15c045c5475d7748f347bcc

Download Submit
memory/864-57-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/864-56-0x000007FEF3B90000-0x000007FEF46ED000-memory.dmp

Filesize
11.4MB

Download
memory/864-55-0x000007FEF46F0000-0x000007FEF5113000-memory.dmp

Filesize
10.1MB

Download
memory/864-62-0x00000000022FB000-0x000000000231A000-memory.dmp

Filesize
124KB

Download
memory/864-60-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/864-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

Filesize
8KB

Download
memory/976-149-0x0000000000400000-0x000000000047F095-memory.dmp

Filesize
508KB

Download
memory/976-148-0x0000000000400000-0x000000000047F095-memory.dmp

Filesize
508KB

Download
memory/976-131-0x000000000047F000-mapping.dmp

Download
memory/1656-102-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-95-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-80-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-84-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-87-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-90-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-91-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-89-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-92-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-88-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-93-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-101-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-104-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-107-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-108-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-109-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-110-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-113-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-112-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-111-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-106-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-105-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-103-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-71-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-100-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-99-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-98-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-97-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-96-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-72-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-94-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-86-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-85-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-83-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-82-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-81-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-79-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-78-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-77-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-76-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-75-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-74-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-73-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-70-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-69-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-68-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-67-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-119-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-122-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-121-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-120-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-118-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-117-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-116-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-115-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-66-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-64-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1656-61-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1656-58-0x0000000000000000-mapping.dmp

Download
memory/1656-114-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download