modiloader | 5813d9dc8983ee0cf64bbe25d9f723360531b9be4ece522114bdf6868d15058d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

9a392f1615ee57504b13326609b85798.bin
Size

1.7MB
Sample

231105-c8l3vabh32
MD5

a7aa9b7f1688398799c979589d2a331d
SHA1

29695a61383786989ac798bdb6f2bd852c8ee710
SHA256

5813d9dc8983ee0cf64bbe25d9f723360531b9be4ece522114bdf6868d15058d
SHA512

b16c57f2f0a8278d1af43d101e144a05bc090296c206092d94ea21f2ad7e7f35b2289b20a877f273e2da69ac3835a7597f1436c89d0f221e7e484b64210c3f16
SSDEEP

49152:E99dcSFDOkVfEeRITpAechwWBeWMq5v6I9EQSQp:W7HxtVfxITp5chrFMq5v6gEQSI

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:49539

127.0.0.1:45944

94.156.66.37:45944

94.156.66.37:49539

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PGGU3W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  39b4aba5e8641981ee7c36537c71403e038895c5699f172498fb99f51f994b85.exe
- Size
  
  2.3MB
- MD5
  
  9a392f1615ee57504b13326609b85798
- SHA1
  
  c7c949b3157bc1494edd91ebbaf36d663d06e27c
- SHA256
  
  39b4aba5e8641981ee7c36537c71403e038895c5699f172498fb99f51f994b85
- SHA512
  
  f148acb4efe969000c97a092b3788612685ff65d3d30c19e6d01e41c2e4a42e90994bcdbd05d0fc0a3d803c58e0d7f839caf9ee3f4b138f38f78ac92d17142f3
- SSDEEP
  
  24576:IZvkwR6rJQo6sObXVFvGkpyct5iWHANjQyedWlRfTDvxGl3/TVK/xEgGz20w69cH:IPrFvGkpy2glNjQyewXk/gCl9
Score

10^/10

modiloader trojan remcos remotehost persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcosremotehostpersistencerattrojan