modiloader | 88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178 | Triage

Sharing

General

Target

88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178
Size

1.2MB
Sample

230829-q5f93sfg5y
MD5

0cf1f1b440c30083d0c9c32e446a0680
SHA1

2323b8cad178103a32ebf24af8ad9ad8e7f29f6e
SHA256

88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178
SHA512

0836357f3840c506b1cc7470c5cb0f35addd203c74a7ca2ee43f24c578e9614a3edbd228b90afcbf2da005ff0067548a5c01412b724ca650d7e367fbcfbe3a82
SSDEEP

24576:swGq5fTk3ROmX7zJDlAuqezXlu+VkGdKitox:swLfTcLzE38Vu+3EitK

Score

10^/10

modiloader remcos es persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

ES

C2

tornado.ydns.eu:1972

orifak.ydns.eu:1972

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
RmEEESSSssss-4VQ5KE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178
- Size
  
  1.2MB
- MD5
  
  0cf1f1b440c30083d0c9c32e446a0680
- SHA1
  
  2323b8cad178103a32ebf24af8ad9ad8e7f29f6e
- SHA256
  
  88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178
- SHA512
  
  0836357f3840c506b1cc7470c5cb0f35addd203c74a7ca2ee43f24c578e9614a3edbd228b90afcbf2da005ff0067548a5c01412b724ca650d7e367fbcfbe3a82
- SSDEEP
  
  24576:swGq5fTk3ROmX7zJDlAuqezXlu+VkGdKitox:swLfTcLzE38Vu+3EitK
Score

10^/10

modiloader remcos es persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderremcosespersistencerattrojan