modiloader | 8fc8cf26214f21216acf9a813b5e585ed7e7c23f36d49ab7a65c93f8fffa9510 | Triage

Sharing

General

Target

Tender_MEPSHAMA3790498857644.7z
Size

890KB
Sample

230413-zrptqsff2w
MD5

687a9b157998b79eed55a95532fef9ac
SHA1

e5d0ad42bd8244e3be59ab4b531cac1b26e99378
SHA256

8fc8cf26214f21216acf9a813b5e585ed7e7c23f36d49ab7a65c93f8fffa9510
SHA512

2b2bab97a5c19927e36ee3feefa302534943559734cf1e2c212d48262d5fd72ae01e6cb76d5df3ef999a1b64e18f1b22763adedff5b822c19e563e362baa941c
SSDEEP

12288:GW9Xg0xtt7nS2Kq94DhnoPJ+wofEZjNNyGaPuVJgW61h8BLQc87YjuFv76Wkk2sD:GnMXTL4DhqJFiIB2GAWBGcMYM6vkMDMH

Score

10^/10

modiloader remcos march-logs-2023 persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

March-Logs-2023

C2

pentester01.duckdns.org:49136

pentester0.accesscam.org:56796

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
owa.exe
copy_folder
owa
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Wetransfer
mouse_option
false
mutex
owa-6972V4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
owa
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Architectural Drawing_BNBC Contracting L.L.C/Architectural Drawing_BNBC Contracting L.L.C..exe
- Size
  
  119.2MB
- MD5
  
  4edd8557a0e3a4292e54a08c86d36c6f
- SHA1
  
  ef07eebcff1756d2fae57588191d5d9d4bcc6de5
- SHA256
  
  89106b882ba55c7830d3934a14ca223714f73804790531ba3acdd76bf1f6f35e
- SHA512
  
  a059849b756ff6ebe20c0ff3d05c779d83861e68f4ab2da8479671c76aad65a08ed4751498cee5355a29e5e2b8f7a2fdfcbe4d38569d2c44edd1b354d2e9d38d
- SSDEEP
  
  12288:cjtATpxC7cYFqGwib8yzaeCvFJIqtIz2XxkJ/PufCUWUo2:cjt2pHYkUraDvFTIaBkJ/Pu/ro
Score

10^/10

modiloader trojan remcos march-logs-2023 persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  BOQ_BNBC Contracting L.L.C/BOQ_BNBC Contracting L.L.C..exe
- Size
  
  124.0MB
- MD5
  
  79ec74ebfb2ee63aaabe7de8393fc6e7
- SHA1
  
  e1c18d5d0093b04598c2047aa6cc976cbfa596f4
- SHA256
  
  1c9ae205c0b92c0ef2406231c2039746319931ef2345d22645c0bc88d22a3f75
- SHA512
  
  b44eed801f4adb9bbbb14bc80ab4cd8cf9fffaa1354b0eba6e959270ee15ed41ced8933db70e8e000114ef3dbb020aeae2c81471bd65a698fa77c9994b8ebeb3
- SSDEEP
  
  12288:cjtATpxC7cYFqGwib8yzaeCvFJIqtIz2XxkJ/PufCUWUo2:cjt2pHYkUraDvFTIaBkJ/Pu/ro
Score

10^/10

modiloader trojan remcos march-logs-2023 persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  Specifications_BNBC Contracting L.L.C/Specifications_BNBC Contracting L.L.C..exe
- Size
  
  114.4MB
- MD5
  
  c4499955926665a4dbe0ebc1828168eb
- SHA1
  
  b2ddd85193a36497af9097d53d62e482e48907cf
- SHA256
  
  7e7644577438369b7f91b3541981b11d92340307f50e41f8ad1705ff1ecd2ac6
- SHA512
  
  885b805ce2616e7a930a50ef301aed70ea4a634993c95c21a565aee0d28a6b71885c199eb3d87d10a50bf67b3d68888e79e20f5f1f05f90dba1b5387aeea5f04
- SSDEEP
  
  12288:cjtATpxC7cYFqGwib8yzaeCvFJIqtIz2XxkJ/PufCUWUo2:cjt2pHYkUraDvFTIaBkJ/Pu/ro
Score

10^/10

modiloader trojan remcos march-logs-2023 persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcosmarch-logs-2023persistencerattrojan

behavioral3

modiloadertrojan

behavioral4

modiloaderremcosmarch-logs-2023persistencerattrojan

behavioral5

modiloadertrojan

behavioral6

modiloaderremcosmarch-logs-2023persistencerattrojan