modiloader | 85281089eca57c6c3783afeefc58d04d8993001c9cba1f04849f4ce94f8b9d7d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

033782718278172.exe
Size

1.5MB
Sample

240307-v7wj1aha45
MD5

71f18058ae74f689354e586ef0a09816
SHA1

2f47a44ff2f58b6c32dbca0a62a6c4a0927522a2
SHA256

85281089eca57c6c3783afeefc58d04d8993001c9cba1f04849f4ce94f8b9d7d
SHA512

0b5b92569b207a0bad154472e3a575f4e7eebaad2503917892c02be37f1b220d591f954dc0ef145c7fe3cce266faa32cc31f0d074baa616b4516cfd92a6d1e16
SSDEEP

24576:W4+ufew4vRRm5JjP++3hDSpLHnT3s++Gg0w38LzAqSSiKLWWW0GCdZ:W46wVEpLnE3+8Giy5W8X

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

newpage44.mywire.org:5010

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
skype.exe
copy_folder
skype
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RKZKPL
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  033782718278172.exe
- Size
  
  1.5MB
- MD5
  
  71f18058ae74f689354e586ef0a09816
- SHA1
  
  2f47a44ff2f58b6c32dbca0a62a6c4a0927522a2
- SHA256
  
  85281089eca57c6c3783afeefc58d04d8993001c9cba1f04849f4ce94f8b9d7d
- SHA512
  
  0b5b92569b207a0bad154472e3a575f4e7eebaad2503917892c02be37f1b220d591f954dc0ef145c7fe3cce266faa32cc31f0d074baa616b4516cfd92a6d1e16
- SSDEEP
  
  24576:W4+ufew4vRRm5JjP++3hDSpLHnT3s++Gg0w38LzAqSSiKLWWW0GCdZ:W46wVEpLnE3+8Giy5W8X
Score

10^/10

modiloader trojan remcos remotehost persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcosremotehostpersistencerattrojan