modiloader | 37503c7646071d22653b6be7fdb8ec8d9abbfe8cbfca39650255c131b01f4fd2 | Triage

Sharing

General

Target

91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe
Size

673KB
Sample

230411-hqx1aaba58
MD5

7a22c075e6bb86f3a537fd592925d0f8
SHA1

657dde8c6b11a14aa398481768079f3286e37360
SHA256

37503c7646071d22653b6be7fdb8ec8d9abbfe8cbfca39650255c131b01f4fd2
SHA512

9f1025ab193b0bfd7dfa38f59d2071f2f0293856fe6e1604e0667f93f0f15f241f7458d96c7992d382f7eb1ea6030b8156721dc0de95ad562a319544db655226
SSDEEP

12288:KD+aLrg9LSA91a6XQYOg5f46XzsOpj2pMFr0sbOTWE:Ki08wU1a6Xv1B4oKMEW

Score

10^/10

modiloader remcos razor persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

Razor

C2

20.251.10.189:2349

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
oldosos.dat
keylog_flag
false
keylog_path
%UserProfile%
mouse_option
false
mutex
razorsoso-K5DGEB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe
- Size
  
  673KB
- MD5
  
  7a22c075e6bb86f3a537fd592925d0f8
- SHA1
  
  657dde8c6b11a14aa398481768079f3286e37360
- SHA256
  
  37503c7646071d22653b6be7fdb8ec8d9abbfe8cbfca39650255c131b01f4fd2
- SHA512
  
  9f1025ab193b0bfd7dfa38f59d2071f2f0293856fe6e1604e0667f93f0f15f241f7458d96c7992d382f7eb1ea6030b8156721dc0de95ad562a319544db655226
- SSDEEP
  
  12288:KD+aLrg9LSA91a6XQYOg5f46XzsOpj2pMFr0sbOTWE:Ki08wU1a6Xv1B4oKMEW
Score

10^/10

modiloader remcos razor persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

modiloaderremcosrazorpersistencerattrojan