modiloader | 14aa402bbdc446b9b015191ff6ef6ae96c512d7956a56838e5488220f0b185e9 | Triage

Sharing

General

Target

14aa402bbdc446b9b015191ff6ef6ae96c512d7956a56838e5488220f0b185e9
Size

851KB
Sample

230829-nwxvcsfc4t
MD5

97c982b941bd14d764232e05b36e3bf2
SHA1

609024d69f6ce9d1f9c1da0044551a1fa685cc8a
SHA256

14aa402bbdc446b9b015191ff6ef6ae96c512d7956a56838e5488220f0b185e9
SHA512

7b6ca464f4431c8b9b6a223d51022ff79313b8266a4512640f6758f9e91def00de83d098a14c442a0f4c0df7f1748bd58d6d43f33983f3c7dccfef56b9bbed0c
SSDEEP

24576:opE8lEgWUtzdAaBd8NZlzQ4oAHOVRm63RzcKJdWRmDgxVzG:OE83WYfBeNfQpAOmW/fWRmD0Vy

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:45200

127.0.0.1:45002

163.123.143.162:45002

163.123.143.162:45200

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1VL66Z
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Mufopxdqjropfz.exe
- Size
  
  1.2MB
- MD5
  
  3a7c4f802b051ee107893828d4faea1e
- SHA1
  
  39f8198e22ab06c3468530ec716c26e92bcfa73e
- SHA256
  
  530fcc08a90aa5576aa91055fef451cbbf2882dc59adde84e71482e4e782d168
- SHA512
  
  21536d7666a6183c8b4da8c10b1863e4e9a186c6b0cc0d2f91b0e1ea56c3b95d30e23b8c8bc54135a97db2ad6eddd5bd6761710647e8019e93bf88c4ca80aa49
- SSDEEP
  
  24576:swGq5fTk3ROmX7zJDlzuqezXlu+VkGdKitox:swLfTcLzX38Vu+3EitK
Score

10^/10

modiloader trojan remcos remotehost persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcosremotehostpersistencerattrojan