modiloader | b17a0e58bb2fe47b6abe314c9abf6ab3c52339c9484ec7c1690d4d0aba619d7d

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Purchase Order–P2D026434-590000206/New Purchase Order–P2D026434-59000034675.exe
Size

902KB
MD5

9532ec4054bbcd5e7c57d56b84a79c05
SHA1

f14ec826b3b8d885f06279fdf10279b291e9b424
SHA256

66036dbdefe6e7a12bd3d05d98be19e5ea65f339866b3765c0bbe057615e4e86
SHA512

d981b28e6da4e1070db7509837b0f6ac3f77765deac60a1a86171041a0484e8ad975a00f21d489105925a29e306bcc55f1b7424595480b0da45f69829066098a
SSDEEP

12288:i9DB0XN+2zVPNZHHuixe/5Zh0SYWf1bjUGKgEbORhFBN8De3JFjcTWZmhj+wzhd:uDmwoHHuSe/5j0ifVU5u8DAo3YYh

Score

10^/10

modiloader remcos duckdomain-file persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

DUCKDOMAIN-FILE

dapsan.duckdns.org:2404

www.dapsan.biz:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BERTBE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 63 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1016-132-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-134-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-135-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-136-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-137-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-138-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-140-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-139-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-141-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-142-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-143-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-144-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-145-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-146-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-147-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-148-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-150-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-151-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-149-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-152-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-153-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-154-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-155-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-156-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-157-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-159-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-158-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-160-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-161-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-162-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-163-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-164-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-165-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-166-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-167-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-168-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-169-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-170-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-171-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-172-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-173-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-174-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-175-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-176-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-177-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-178-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-179-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-180-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-181-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-182-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-183-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-185-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-184-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-186-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-187-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-190-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-189-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-188-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-191-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-192-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-193-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-194-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2
behavioral2/memory/1016-195-0x0000000002860000-0x000000000288B000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

New Purchase Order–P2D026434-59000034675.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Codboglk = "C:\\Users\\Public\\Libraries\\klgobdoC.url"	New Purchase Order–P2D026434-59000034675.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

New Purchase Order–P2D026434-59000034675.exe

pid process

1016 New Purchase Order–P2D026434-59000034675.exe
1016 New Purchase Order–P2D026434-59000034675.exe

pid	process
1016	New Purchase Order–P2D026434-59000034675.exe
1016	New Purchase Order–P2D026434-59000034675.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

New Purchase Order–P2D026434-59000034675.exe

description	pid	process	target process
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe
PID 1016 wrote to memory of 1628	1016	New Purchase Order–P2D026434-59000034675.exe	colorcpl.exe

C:\Users\Admin\AppData\Local\Temp\New Purchase Order–P2D026434-590000206\New Purchase Order–P2D026434-59000034675.exe
"C:\Users\Admin\AppData\Local\Temp\New Purchase Order–P2D026434-590000206\New Purchase Order–P2D026434-59000034675.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
2⤵
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-132-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-134-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-135-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-136-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-137-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-138-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-140-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-139-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-141-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-142-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-143-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-144-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-145-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-146-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-147-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-148-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-150-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-151-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-149-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-152-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-153-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-154-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-155-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-156-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-157-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-159-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-158-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-160-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-161-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-162-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-163-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-164-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-165-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-166-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-167-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-168-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-169-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-170-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-171-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-172-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-173-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-174-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-175-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-176-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-177-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-178-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-179-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-180-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-181-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-182-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-183-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-185-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-184-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-186-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-187-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-190-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-189-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-188-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-191-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-192-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-193-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-194-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1016-195-0x0000000002860000-0x000000000288B000-memory.dmp

Filesize
172KB

Download
memory/1628-209-0x0000000000000000-mapping.dmp

Download
memory/1628-300-0x0000000010590000-0x0000000010612000-memory.dmp

Filesize
520KB

Download
memory/1628-302-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1628-335-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download