modiloader | b17a0e58bb2fe47b6abe314c9abf6ab3c52339c9484ec7c1690d4d0aba619d7d | Triage

Submit
Reports

Overview

overview

Static

static

New Purcha...75.exe

windows7-x64

New Purcha...75.exe

windows10-2004-x64

Sharing

General

Target

8253661232.zip
Size

368KB
Sample

221031-s4f9ssbcg9
MD5

1b215c61f670df8ed1f16c32afe824d6
SHA1

577d12121e8d45cf47308b6eace5da7efa1b74a5
SHA256

b17a0e58bb2fe47b6abe314c9abf6ab3c52339c9484ec7c1690d4d0aba619d7d
SHA512

961dd59036ccf46d0d85315ba89912ffbc57c209da7da39c3bf0bca8b38773853927ecb8d1248f485749835abab72d2372fdbd90e690bd82c8558f5606b62953
SSDEEP

6144:lV3+UExyhuIhug4vPfj/pwohBO65MHJ2bjOtXH6CfFDniaX7hahO7:lV3+UEx6EpweZaHJ2bj4HjPX7SO7

Score

10^/10

modiloader remcos duckdomain-file persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

New Purchase Order–P2D026434-590000206/New Purchase Order–P2D026434-59000034675.exe

Resource

win7-20220812-en

modiloader remcos duckdomain-file persistence rat trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

New Purchase Order–P2D026434-590000206/New Purchase Order–P2D026434-59000034675.exe

Resource

win10v2004-20220901-en

modiloader remcos duckdomain-file persistence rat trojan

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

DUCKDOMAIN-FILE

C2

dapsan.duckdns.org:2404

www.dapsan.biz:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BERTBE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  New Purchase Order–P2D026434-590000206/New Purchase Order–P2D026434-59000034675.exe
- Size
  
  902KB
- MD5
  
  9532ec4054bbcd5e7c57d56b84a79c05
- SHA1
  
  f14ec826b3b8d885f06279fdf10279b291e9b424
- SHA256
  
  66036dbdefe6e7a12bd3d05d98be19e5ea65f339866b3765c0bbe057615e4e86
- SHA512
  
  d981b28e6da4e1070db7509837b0f6ac3f77765deac60a1a86171041a0484e8ad975a00f21d489105925a29e306bcc55f1b7424595480b0da45f69829066098a
- SSDEEP
  
  12288:i9DB0XN+2zVPNZHHuixe/5Zh0SYWf1bjUGKgEbORhFBN8De3JFjcTWZmhj+wzhd:uDmwoHHuSe/5j0ifVU5u8DAo3YYh
Score

10^/10

modiloader remcos duckdomain-file persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

modiloaderremcosduckdomain-filepersistencerattrojan

behavioral2

modiloaderremcosduckdomain-filepersistencerattrojan

© 2018-2024

Terms | Privacy