modiloader | a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445 | Triage

Sharing

General

Target

DOC20220513PRELIMINARC0559DOC03027321122021JIH.exe
Size

815KB
Sample

230605-qk6dgahd5v
MD5

42100dbc4d976830330cba122d827ddc
SHA1

8c9646c8d072550d064927db102afe5b4226817e
SHA256

a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
SHA512

e0d152a67200affbfb3d034976942d0222fd5222b7cc5fd15b04ca9680d8379183048bdf5a122b9f02a6966c99e8d698445c86995222d6aca9a2a89d4eafe439
SSDEEP

12288:Hm5Yjm87zTua9UTx2OwKPUh0Iyy7UhZBosUwj0xJ3nBcN/ZLf:Hvjqa9UV2OwKPdjnjSQIxJ3n6N/l

Score

10^/10

modiloader remcos pharmacy-people persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

PHARMACY-PEOPLE

C2

www.supremeswitchgear.com:32676

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rematsssss
mouse_option
false
mutex
Rmc-JQWAXU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  DOC20220513PRELIMINARC0559DOC03027321122021JIH.exe
- Size
  
  815KB
- MD5
  
  42100dbc4d976830330cba122d827ddc
- SHA1
  
  8c9646c8d072550d064927db102afe5b4226817e
- SHA256
  
  a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
- SHA512
  
  e0d152a67200affbfb3d034976942d0222fd5222b7cc5fd15b04ca9680d8379183048bdf5a122b9f02a6966c99e8d698445c86995222d6aca9a2a89d4eafe439
- SSDEEP
  
  12288:Hm5Yjm87zTua9UTx2OwKPUh0Iyy7UhZBosUwj0xJ3nBcN/ZLf:Hvjqa9UV2OwKPdjnjSQIxJ3n6N/l
Score

10^/10

modiloader trojan remcos pharmacy-people persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcospharmacy-peoplepersistencerattrojan