modiloader | 37503c7646071d22653b6be7fdb8ec8d9abbfe8cbfca39650255c131b01f4fd2

General

Target

91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe
Size

673KB
MD5

7a22c075e6bb86f3a537fd592925d0f8
SHA1

657dde8c6b11a14aa398481768079f3286e37360
SHA256

37503c7646071d22653b6be7fdb8ec8d9abbfe8cbfca39650255c131b01f4fd2
SHA512

9f1025ab193b0bfd7dfa38f59d2071f2f0293856fe6e1604e0667f93f0f15f241f7458d96c7992d382f7eb1ea6030b8156721dc0de95ad562a319544db655226
SSDEEP

12288:KD+aLrg9LSA91a6XQYOg5f46XzsOpj2pMFr0sbOTWE:Ki08wU1a6Xv1B4oKMEW

Score

10^/10

modiloader remcos razor persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

Razor

C2

20.251.10.189:2349

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
oldosos.dat
keylog_flag
false
keylog_path
%UserProfile%
mouse_option
false
mutex
razorsoso-K5DGEB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5088-133-0x0000000002260000-0x000000000228C000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xnuecpqr = "C:\\Users\\Public\\Libraries\\rqpceunX.url"	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe

pid	process
5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe
5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe
5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe
5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe

description	pid	process	target process
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe
PID 5088 wrote to memory of 4100	5088	91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe	colorcpl.exe

C:\Users\Admin\AppData\Local\Temp\91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe
"C:\Users\Admin\AppData\Local\Temp\91489557012035DraftBLFmKNNBRecd07Apr23CFM.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
2⤵
PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4100-172-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-173-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-163-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-164-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-148-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/4100-149-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/4100-162-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-154-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/4100-155-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-160-0x0000000010590000-0x0000000010613000-memory.dmp

Filesize
524KB

Download
memory/4100-161-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-158-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-181-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-180-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-179-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-165-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-166-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-171-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-178-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-176-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/4100-174-0x0000000004790000-0x0000000004810000-memory.dmp

Filesize
512KB

Download
memory/5088-135-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/5088-133-0x0000000002260000-0x000000000228C000-memory.dmp

Filesize
176KB

Download
memory/5088-147-0x0000000010590000-0x0000000010613000-memory.dmp

Filesize
524KB

Download
memory/5088-136-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/5088-153-0x0000000010590000-0x0000000010613000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads