modiloader | ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350

General

Target

ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
Size

1.3MB
MD5

44aaef046aa99bfb6520d7b0b1fb758b
SHA1

d9649c6a5eb45805ad1d21cca7bd3f05830c5235
SHA256

ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350
SHA512

919fb01b986172932e5d3f042450489535f9def2273a4f95c701306d44bbe2f6aea36a064366b3b5043b85f5b4b1b562c89e594bb3ba631081df889553f2c740
SSDEEP

24576:EJWUid5kZHYX+fEHxniHBvag2ZCMVAgfM:EJ05aYt4dcsMVAgfM

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:47212

officerem.duckdns.org:47212

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I8N3XG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2380-2-0x00000000030A0000-0x00000000040A0000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

8908085.exe8908085.exe

pid process

328 8908085.exe
1296 8908085.exe

pid	process
328	8908085.exe
1296	8908085.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wcbdytqr = "C:\\Users\\Public\\Wcbdytqr.url"	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe

pid	process
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe

pid	process
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SndVol.exe

pid process

1644 SndVol.exe

pid	process
1644	SndVol.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe

description	pid	process	target process
PID 2380 wrote to memory of 2196	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 2196	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 2196	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 2196	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 2464	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 2464	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 2464	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 2464	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 3012	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 3012	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 3012	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 3012	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	cmd.exe
PID 2380 wrote to memory of 1736	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	extrac32.exe
PID 2380 wrote to memory of 1736	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	extrac32.exe
PID 2380 wrote to memory of 1736	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	extrac32.exe
PID 2380 wrote to memory of 1736	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	extrac32.exe
PID 2380 wrote to memory of 1644	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	SndVol.exe
PID 2380 wrote to memory of 1644	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	SndVol.exe
PID 2380 wrote to memory of 1644	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	SndVol.exe
PID 2380 wrote to memory of 1644	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	SndVol.exe
PID 2380 wrote to memory of 1644	2380	ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe	SndVol.exe

C:\Users\Admin\AppData\Local\Temp\ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe
"C:\Users\Admin\AppData\Local\Temp\ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe"
1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows "
2⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows \System32"
2⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Windows \System32\8908085.exe"
2⤵
PID:3012

C:\Windows \System32\8908085.exe
"C:\Windows \System32\8908085.exe"
3⤵
- Executes dropped EXE
PID:328

C:\Windows \System32\8908085.exe
"C:\Windows \System32\8908085.exe"
3⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\ae13dba25a62c3ecaf7bf4629ed726dcbb8528f6b6c6a4c7c37efefc17d93350.exe C:\\Users\\Public\\Libraries\\Wcbdytqr.PIF
2⤵
PID:1736

C:\Windows\SysWOW64\SndVol.exe
C:\Windows\System32\SndVol.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
b621a740f8341e67a046e52553e256b6

SHA1
ea2c80fd7b938509ce6d5713af39253d86f9c053

SHA256
8ece0481e839e7afe91b6d3230d93b935da0eb99350efa2105730105236592cd

SHA512
063a94f9bed12f39ff1217297a41d45520659cc9ef18694f78252d33b14bf652b8b4a1acf0b1b3ef6dc19ffc55b8ea38d61d3d421d71f0d29224e36b00f397f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA58A.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows \System32\8908085.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\8908085.exe

Filesize
68KB

MD5
ed3540f212402b026170cadf5dce2da1

SHA1
5a66e9d91c626e4d22c1349352b7ef12bf464afe

SHA256
3f45a021b129cd4c3ec6fad0cb06275e0c6f6614e5a6023d3f7d2d3cbd5bbd10

SHA512
3acb6686b9c43b24dd1a9f3f12e065000b9150a7266beba7d0b17e10baf87981089fa9a993310320e8f046c6e8e0d72b6c1a7f8031923d07144502d78a963518

Download Submit
memory/1644-87-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-89-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-116-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-115-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-83-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-85-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-86-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-107-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-88-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-100-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-91-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-92-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-93-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-97-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/1644-99-0x0000000000410000-0x0000000001410000-memory.dmp

Filesize
16.0MB

Download
memory/2380-4-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2380-1-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/2380-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x00000000030A0000-0x00000000040A0000-memory.dmp

Filesize
16.0MB

Download
memory/3012-67-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads