modiloader | 3ae59bff704751af19ea535dd681e1549cceaafcd053f41d64c982235c8e4148 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

BOQ-523-20...df.exe

windows7-x64

BOQ-523-20...df.exe

windows10-2004-x64

Sharing

General

Target

BOQ-523-2022 R01.pdf.exe
Size

723KB
Sample

230109-j6pvaade42
MD5

7bfb43461dc7e45a2d2019202453f437
SHA1

24092359be8e8957d45a5f912e8011ec2310c657
SHA256

3ae59bff704751af19ea535dd681e1549cceaafcd053f41d64c982235c8e4148
SHA512

85ce8e41ffa0aa3c4db5602fe0ff8eceaae23fcc0b836f2ca25bc1ae8d497f91bc1c05d6abdcca90724f1aa286a9f42b090747f7818ff56c9e1b6a006d7a5e06
SSDEEP

12288:NhrRcQ1GIjHQK1dbre1I8wtBzvoRcbM3VBcO9zJkF5kVn27jvTyUiats:jNGIjHX1re1I8YMRcb+VBcO9zu5S2/vS

Score

10^/10

modiloader remcos jan_2023_port_60976 persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

BOQ-523-2022 R01.pdf.exe

Resource

win7-20221111-en

modiloader trojan

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

BOQ-523-2022 R01.pdf.exe

Resource

win10v2004-20220812-en

modiloader remcos jan_2023_port_60976 persistence rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

Jan_2023_Port_60976

C2

pentester0.accesscam.org:60976

pentester01.duckdns.org:56796

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
onedriver.exe
copy_folder
onedriver
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
dropboxs
mouse_option
false
mutex
CMR-QITYAA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
onedriver
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  BOQ-523-2022 R01.pdf.exe
- Size
  
  723KB
- MD5
  
  7bfb43461dc7e45a2d2019202453f437
- SHA1
  
  24092359be8e8957d45a5f912e8011ec2310c657
- SHA256
  
  3ae59bff704751af19ea535dd681e1549cceaafcd053f41d64c982235c8e4148
- SHA512
  
  85ce8e41ffa0aa3c4db5602fe0ff8eceaae23fcc0b836f2ca25bc1ae8d497f91bc1c05d6abdcca90724f1aa286a9f42b090747f7818ff56c9e1b6a006d7a5e06
- SSDEEP
  
  12288:NhrRcQ1GIjHQK1dbre1I8wtBzvoRcbM3VBcO9zJkF5kVn27jvTyUiats:jNGIjHX1re1I8YMRcb+VBcO9zu5S2/vS
Score

10^/10

modiloader trojan remcos jan_2023_port_60976 persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcosjan_2023_port_60976persistencerattrojan

© 2018-2025

Terms | Privacy