modiloader | c4cd277e81aec420cdf23a0d5ebff50b0d64dd9c6b3b1942567c263032f64deb | Triage

Sharing

General

Target

b4baab930a798fe4622b535b92c345f3.exe
Size

773KB
Sample

230131-a16feafa7x
MD5

b4baab930a798fe4622b535b92c345f3
SHA1

05de8839222f6ec3d8b6dc9d30e826110f51fae2
SHA256

c4cd277e81aec420cdf23a0d5ebff50b0d64dd9c6b3b1942567c263032f64deb
SHA512

3e04eb076c9d0a4ca425c4d62495ddfac3ada5e5e34adf92d607dc2a42c9c9ddbfed8576a6ec28e0ccaf87816121e039597f20b3d702d1d7706877056663ca28
SSDEEP

12288:sncOtoAFbkyA1KFW5A3AImxsfKutdiQkBkG0nFEAoAYyNG/xhIL/2nSrJWIXnyGI:sn/tJ61OW5AQIl166G02aG7

Score

10^/10

modiloader remcos today-file persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

TODAY-FILE

C2

dansanija.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmc
mouse_option
false
mutex
Rmc-XYGMBB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b4baab930a798fe4622b535b92c345f3.exe
- Size
  
  773KB
- MD5
  
  b4baab930a798fe4622b535b92c345f3
- SHA1
  
  05de8839222f6ec3d8b6dc9d30e826110f51fae2
- SHA256
  
  c4cd277e81aec420cdf23a0d5ebff50b0d64dd9c6b3b1942567c263032f64deb
- SHA512
  
  3e04eb076c9d0a4ca425c4d62495ddfac3ada5e5e34adf92d607dc2a42c9c9ddbfed8576a6ec28e0ccaf87816121e039597f20b3d702d1d7706877056663ca28
- SSDEEP
  
  12288:sncOtoAFbkyA1KFW5A3AImxsfKutdiQkBkG0nFEAoAYyNG/xhIL/2nSrJWIXnyGI:sn/tJ61OW5AQIl166G02aG7
Score

10^/10

modiloader remcos today-file persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderremcostoday-filepersistencerattrojan

behavioral2

modiloaderremcostoday-filepersistencerattrojan