modiloader | 94de4dc571040c2f3d1f9690384778017cf94e58d2f4b25b8e9d9568210eb1ca

General

Target

53e54547d85361d226badc2070b56416.exe
Size

1.1MB
MD5

53e54547d85361d226badc2070b56416
SHA1

f76ceac7224459b0f4928e655d96afceb4e904a9
SHA256

94de4dc571040c2f3d1f9690384778017cf94e58d2f4b25b8e9d9568210eb1ca
SHA512

68c7e7bf23ad0563c0114eb551312202cd0950faeacb910e02136e2141ee6ca53c4de7c8f00665de90d721e61c5733a7b47638417cfeafc59c0857afbece6039
SSDEEP

24576:E+x0KeaVl6fTAz/92jMRffknKdEfa17E+/:E+9zIg1I+/

Score

10^/10

modiloader remcos eu persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

EU

C2

tornado.ydns.eu:1972

orifak.ydns.eu:1972

filwelreg.pw:1972

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
RmgDEfdfdef-B6N60C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/112-2-0x0000000002A70000-0x0000000003A70000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

53e54547d85361d226badc2070b56416.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sbkwabth = "C:\\Users\\Public\\Sbkwabth.url"	53e54547d85361d226badc2070b56416.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 55 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

53e54547d85361d226badc2070b56416.exe

pid process

112 53e54547d85361d226badc2070b56416.exe
112 53e54547d85361d226badc2070b56416.exe

description	flow	ioc
HTTP User-Agent header	55	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
112	53e54547d85361d226badc2070b56416.exe
112	53e54547d85361d226badc2070b56416.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

53e54547d85361d226badc2070b56416.exe

description	pid	process	target process
PID 112 wrote to memory of 1624	112	53e54547d85361d226badc2070b56416.exe	colorcpl.exe
PID 112 wrote to memory of 1624	112	53e54547d85361d226badc2070b56416.exe	colorcpl.exe
PID 112 wrote to memory of 1624	112	53e54547d85361d226badc2070b56416.exe	colorcpl.exe
PID 112 wrote to memory of 1624	112	53e54547d85361d226badc2070b56416.exe	colorcpl.exe

C:\Users\Admin\AppData\Local\Temp\53e54547d85361d226badc2070b56416.exe
"C:\Users\Admin\AppData\Local\Temp\53e54547d85361d226badc2070b56416.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
2⤵
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-12-0x0000000072E00000-0x0000000072E12000-memory.dmp

Filesize
72KB

Download
memory/112-1-0x0000000002A70000-0x0000000003A70000-memory.dmp

Filesize
16.0MB

Download
memory/112-2-0x0000000002A70000-0x0000000003A70000-memory.dmp

Filesize
16.0MB

Download
memory/112-4-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/112-5-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/112-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1624-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-8-0x0000000004BF0000-0x0000000005BF0000-memory.dmp

Filesize
16.0MB

Download
memory/1624-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads