modiloader | c74129b7d96e5859f57324918076b665247524663105d93a8bb546d1711fce46 | Triage

Sharing

General

Target

Pedido0922023_xlsx.7z
Size

409KB
Sample

230922-s7q86sha41
MD5

40cafd5bd1115f469c79af9b771b9ec0
SHA1

6f6aa00dd40eb1b9e288f5cec2dbf4f83ddc8c94
SHA256

c74129b7d96e5859f57324918076b665247524663105d93a8bb546d1711fce46
SHA512

3535fed17d4ea7771b8642f429694402c5deabccd60c3f509a26c0bfd2d8bd8358f34742172e43ca7866d74a06d12e5ac2993741c53088bebf1c214d26d3a2b4
SSDEEP

12288:kJ1s6VWmxj7pYkHKler/FU91JXDTKsuKLZ1My9C+n:SjYvIZU91JzTthLf/n

Score

10^/10

modiloader remcos rj101 persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

rj101

C2

193.142.59.6:9494

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-SISLEN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Pedido0922023_xlsx.exe
- Size
  
  1.2MB
- MD5
  
  13edbab0f54c88b7d5494995732d8bc1
- SHA1
  
  43927cc0d33769d9b0634ec9bc364ba6e25a6151
- SHA256
  
  b6175aa04f79e44af020154cbec1baaf6e4e60de42b69b32b37bd8fcd64d5bac
- SHA512
  
  2f23c0bc843d1234dd34201450edfce4d2ff136e5f420a2cfb9a3dfcb97d96c8936cfb0ff7123919d102c4915e7396dc811c37cc12287130b8a98328be21bfdc
- SSDEEP
  
  12288:dN7i6PeBQ9p1nU+Ji+/F1u1mlNHbsgyAvBvvc+X2B+d4ELSQZBLLKbIt383739Da:d5i6lnUr+fuMpNDJ2UxtkRN0D9h1
Score

10^/10

modiloader trojan remcos rj101 persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcosrj101persistencerattrojan