modiloader | b7285db14a569eccf6e5cca5416478153c38b9b7931f0bdea403901c3632cbc9 | Triage

Sharing

General

Target

Document Required310753577644567865689.exe
Size

1.1MB
Sample

230112-jptf5sfe26
MD5

0f1caf9593d310fdb217cb05e62693f9
SHA1

cd3a58a665444ac047aef10e5deefbba65b54e18
SHA256

b7285db14a569eccf6e5cca5416478153c38b9b7931f0bdea403901c3632cbc9
SHA512

985ed0ce05a4ed4eb37630238974f3d487fbe404809229db488ea722a6af115256fe786020ee6bcc6d113186db10fabb22b6b5f4f32f93131db2de2e3807a7f0
SSDEEP

24576:ygaIphuOCwQSQ8eD0jzOt1ytFvDgIFoc5:y2B2DCzOt1ytFvDpFoc

Score

10^/10

modiloader remcos sky-yak persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

SKY-YAK

C2

www.christopherferr.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
12345
mouse_option
false
mutex
Rmc-E68T3F
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Document Required310753577644567865689.exe
- Size
  
  1.1MB
- MD5
  
  0f1caf9593d310fdb217cb05e62693f9
- SHA1
  
  cd3a58a665444ac047aef10e5deefbba65b54e18
- SHA256
  
  b7285db14a569eccf6e5cca5416478153c38b9b7931f0bdea403901c3632cbc9
- SHA512
  
  985ed0ce05a4ed4eb37630238974f3d487fbe404809229db488ea722a6af115256fe786020ee6bcc6d113186db10fabb22b6b5f4f32f93131db2de2e3807a7f0
- SSDEEP
  
  24576:ygaIphuOCwQSQ8eD0jzOt1ytFvDgIFoc5:y2B2DCzOt1ytFvDpFoc
Score

10^/10

modiloader trojan remcos sky-yak persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcossky-yakpersistencerattrojan