modiloader | 7530a6c1b0af5633319393a4658cccbe0f098b61ace0eb8c19f9d54201dca1ad

General

Target

7530a6c1b0af5633319393a4658cccbe0f098b61ace0eb8c19f9d54201dca1ad.img
Size

1.9MB
Sample

240320-ctkw8sed99
MD5

190289d0ddede637f0ac6f3782cec3a3
SHA1

8369635c92be1a222ea3683ef768b91865d57400
SHA256

7530a6c1b0af5633319393a4658cccbe0f098b61ace0eb8c19f9d54201dca1ad
SHA512

ca820cf0d8d719f2b54ae4037577cf288b7744596f7e84927dfbceb42faf26b239e4b21df9e1ac26265842e45f3e098356fdd39a51f46877e3b1b1b1fca62cc1
SSDEEP

24576:d16ftUKJqekypS2EBJYewl7+6izHE+lsx4sAXsd1AqVjxW7RXtLgiED+enxbIl:dAfgQvslHE+l4wgmNdtECebIl

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.245.208.13:4445

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WKS19H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  MACHINE SPECIFICATIONS.exe
- Size
  
  1.4MB
- MD5
  
  9a57df005b00ca4c9f0cd5f7a3d7e7e9
- SHA1
  
  63547644d4b7fe80f696bc8aae6f09830df81b64
- SHA256
  
  0168646bfeec864982cff43a4969ad4d0ab5e0df69cd27f7334fcf339f752e4c
- SHA512
  
  451b64d9798fdec6140b4ee919145d3b449aa88551d1ebfd4af3c4639191ce9075f2bc873cc4e6478d310b4e141c3a51d800f4a521d1bb37e45f752caafb3bc9
- SSDEEP
  
  24576:916ftUKJqekypS2EBJYewl7+6izHE+lsx4sAXsd1AqVjxW7RXtLgiED+enxbIl:9AfgQvslHE+l4wgmNdtECebIl
Score

10^/10

modiloader trojan remcos remotehost collection persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- ModiLoader Second Stage
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2