modiloader | 672d0d85144697e90d3d1e2c22d1a12c05085838c7f71a4973593400bddbe92d

General

Target

INVOICE_.exe
Size

691KB
MD5

8127e66425f32e91d5f8c2a886ac7ba3
SHA1

1ecf360af1fec8126558c99b9ce57da037a948a6
SHA256

9c17a5f35030aefa2086fdf89a91d113d66f98ad3d6abdf2fdf8512d8514ad3b
SHA512

55ff6332db7f4b2056a82e6ff35087f7ba92077e563cc5cccc7ec10f83bd710de2894beded617765095b5d67d00c0ec631445f9d32204226b85ca63dcc8574bd
SSDEEP

12288:kwU+YPHr4rE/NZYAVM6Gw3F7NeiugicyPjDjPVRnR11qb:klB/YNpw17NNugihDDPRXqb

Score

10^/10

modiloader remcos host persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

churchboy2.ddns.net:2404

churchboy9.ddns.net:2404

churchboy19.ddns.net:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
jhgcos
keylog_path
%AppData%
mouse_option
false
mutex
peoyqijw
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1244-134-0x00000000023D0000-0x0000000002402000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qsmjpnoj = "C:\\Users\\Public\\Libraries\\jonpjmsQ.url"	INVOICE_.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90
PID 1244 wrote to memory of 2660	1244	INVOICE_.exe	90

C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE_.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\SndVol.exe
  "C:\Windows\System32\SndVol.exe"
  2⤵
  PID:2660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-146-0x0000000010530000-0x000000001060F000-memory.dmp

Filesize
892KB

Download
memory/1244-134-0x00000000023D0000-0x0000000002402000-memory.dmp

Filesize
200KB

Download
memory/1244-136-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1244-140-0x0000000010530000-0x000000001060F000-memory.dmp

Filesize
892KB

Download
memory/1244-133-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2660-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-147-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2660-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-151-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-141-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/2660-156-0x0000000010530000-0x000000001060F000-memory.dmp

Filesize
892KB

Download
memory/2660-142-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/2660-159-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-161-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-162-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-164-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-165-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-166-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2660-167-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing