modiloader | 06f9fcebf04bd66784deac0850eba11825eab3340cd6903a5484fc09b6b6628e | Triage

Sharing

General

Target

Scandoc223.7z
Size

1.6MB
Sample

231128-cmt7bsed78
MD5

2a265b9c066417b25da375bd5c24f80a
SHA1

4d567644dc578a361ef11ae2608ffbae8d5035c9
SHA256

06f9fcebf04bd66784deac0850eba11825eab3340cd6903a5484fc09b6b6628e
SHA512

c3e24ab94cc8fe701f413fc972abf017bcb5b56fb5e6775800f37e51c3cb285bf7563ea24e10336aaf1b39d13ed7b14a11e5cc5108aca744380d8dccba1d56d3
SSDEEP

49152:fsevbHozCKAmcKuo3gYLdth0nLQ7FgY4RPjSmAdwx2X:kKMCKA5KZ37t+8iY4wnWA

Score

10^/10

modiloader remcos babbalog persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

babbalog

C2

mxzaa.duckdns.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
babaa
mouse_option
false
mutex
Rmc-17YJIC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Scandoc223.exe
- Size
  
  2.2MB
- MD5
  
  b4d1178b1f8921d054f49d4d8028aa21
- SHA1
  
  6866038be6243a96fa92320dd7986371de4a1f02
- SHA256
  
  078d6702680b6e39f3d6062dac3b1477e71667f12dc0ea3c73a0446f16731af8
- SHA512
  
  6476f04a366d3c65ebf4a949aff64eae13e382cf701bc36299112b2d3b12e8faf92d250870bdb393159de93af258adfe3995435c0f74e561b8345c519e53cf44
- SSDEEP
  
  49152:JWPpH8yc0/wU2lpe63ZrxKrVEbRIqiPt41PFehg1mQmPoE:JCpcyV/wjpdZrxEVEtI14TqnLPoE
Score

10^/10

modiloader trojan remcos babbalog persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcosbabbalogpersistencerattrojan