modiloader | 7c3ee63168ad6a482c01546202c85ab10c7b2196672bd42876b760f15ea96e05

General

Target

Swift Advise Copy.exe
Size

958KB
MD5

9f76e4b699ec8f679b9c4b6b8ecd2934
SHA1

21ddc6631488483d7fa891c02fabdda9accefbae
SHA256

7c3ee63168ad6a482c01546202c85ab10c7b2196672bd42876b760f15ea96e05
SHA512

94a9191217e8b9d38d9e17ec8f987e5fa644211803781b15ad512406b504031a6bbcf3205b67d98ee728cf65a274d2615f984a4f950fcd938519e11521a5884b
SSDEEP

12288:AfSx+FaMjOnJBReneIPcVCXGmBOVVrd4yABuAMQsWIUN2FELSvVeCs9axIeBnhnK:CkPMjOn/ieI37BOXZ5oiG2F02sInBhn

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

jaztc.duckdns.org:1808

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
sfsfdrgrre
mouse_option
false
mutex
Rmc-AJ5P19
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4244-2-0x00000000028E0000-0x00000000038E0000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Whilkvom = "C:\\Users\\Public\\Whilkvom.url"	Swift Advise Copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2676	cmd.exe
3300	colorcpl.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4676	4244	Swift Advise Copy.exe	96
PID 4244 wrote to memory of 4676	4244	Swift Advise Copy.exe	96
PID 4244 wrote to memory of 4676	4244	Swift Advise Copy.exe	96
PID 4244 wrote to memory of 3468	4244	Swift Advise Copy.exe	97
PID 4244 wrote to memory of 3468	4244	Swift Advise Copy.exe	97
PID 4244 wrote to memory of 3468	4244	Swift Advise Copy.exe	97
PID 4244 wrote to memory of 2676	4244	Swift Advise Copy.exe	101
PID 4244 wrote to memory of 2676	4244	Swift Advise Copy.exe	101
PID 4244 wrote to memory of 2676	4244	Swift Advise Copy.exe	101
PID 4244 wrote to memory of 1752	4244	Swift Advise Copy.exe	103
PID 4244 wrote to memory of 1752	4244	Swift Advise Copy.exe	103
PID 4244 wrote to memory of 1752	4244	Swift Advise Copy.exe	103
PID 4244 wrote to memory of 3300	4244	Swift Advise Copy.exe	105
PID 4244 wrote to memory of 3300	4244	Swift Advise Copy.exe	105
PID 4244 wrote to memory of 3300	4244	Swift Advise Copy.exe	105
PID 4244 wrote to memory of 3300	4244	Swift Advise Copy.exe	105
PID 1752 wrote to memory of 3588	1752	cmd.exe	106
PID 1752 wrote to memory of 3588	1752	cmd.exe	106
PID 1752 wrote to memory of 3588	1752	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Swift Advise Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Advise Copy.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c mkdir "\\?\C:\Windows "
  2⤵
  PID:4676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c mkdir "\\?\C:\Windows \System32"
  2⤵
  PID:3468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Windows \System32\5911457.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Swift Advise Copy.exe C:\\Users\\Public\\Libraries\\Whilkvom.PIF
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Swift Advise Copy.exe C:\\Users\\Public\\Libraries\\Whilkvom.PIF
    3⤵
    PID:3588
- C:\Windows\SysWOW64\colorcpl.exe
  C:\Windows\System32\colorcpl.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sfsfdrgrre\logs.dat

Filesize
172B

MD5
1dabb8092dfa5c19a1da65e3b1bc388a

SHA1
a92cd614d2abe1cd87817ad9041a84de4d34408a

SHA256
ca56f1ee7837af4958fe0fd75753c662edf469c38eaf251c034ef78a55f86e84

SHA512
54b047cacb30bc4ffb4a256c88199b89c134d4b6d495928873f7233ae99fd7782aeb977f98b0ba33a3605eaece109717b81d014f4ebf3aca858311d900704ff2

Download Submit
C:\Windows \System32\5911457.exe

Filesize
116KB

MD5
ef43f3e84500f2528ff56b144c07c8a2

SHA1
f56579f77ad20ebea21025a215e6ffaf7637b3b4

SHA256
4e7d74a4890af9128e04c758d8e5fa9488ff22da64979725b26fcb0e8806e6f5

SHA512
a6c509bb881f2098460e24d8d9db5e8ed9900b3afa9e3a84752b550c41f3f367e875578abc4cf72a4fe313c03793426837e28886b5029e8d153613d38a3f7138

Download Submit
memory/3300-20-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-22-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-53-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-12-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-15-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-16-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-17-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-18-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-52-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-45-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-44-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-28-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-29-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-36-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/3300-37-0x00000000012D0000-0x00000000022D0000-memory.dmp

Filesize
16.0MB

Download
memory/4244-1-0x00000000028E0000-0x00000000038E0000-memory.dmp

Filesize
16.0MB

Download
memory/4244-4-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4244-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4244-2-0x00000000028E0000-0x00000000038E0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads