modiloader | e53f9093901d793921b102b1cae2d87b2cf71c70e6995d2baabdb17190d33266 | Triage

Sharing

General

Target

eac95a52ac634d3ea75387201a2c749c.bin
Size

1.2MB
Sample

240405-cdbnmahh46
MD5

67741965ecf15044427d45d085cab05c
SHA1

85f6f3ef0346d4d5bd12e5d8c2feda16e9921dc1
SHA256

e53f9093901d793921b102b1cae2d87b2cf71c70e6995d2baabdb17190d33266
SHA512

f22edd066cf68eebdeb04d5c8b02fb2a41df976f7ccc11f814cbf1adccda10e8480a002fdff9d52ef059bd31c79f2a21669f04db8e00564f7426021c8598f455
SSDEEP

24576:givO2Fietz5Dv4eMGc1UmTZEUpcbqO0De59fKCTeyR3TVhChQvk:giFFPtzF47ZEUUqhDoXTtRJh9k

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:45671

127.0.0.1:55677

192.3.101.8:55677

192.3.101.8:45671

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2P1XPK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  f7f1798e3d66880f2cb35f6764a1c32902abb3ce7ceafe0bc049496ca9161e63.exe
- Size
  
  1.6MB
- MD5
  
  eac95a52ac634d3ea75387201a2c749c
- SHA1
  
  e808ef56d1b382b1e01e16af299a548cb038f52c
- SHA256
  
  f7f1798e3d66880f2cb35f6764a1c32902abb3ce7ceafe0bc049496ca9161e63
- SHA512
  
  6ae5883a1cb8aaa42abc0c8bbfeba2715086ec39ad2028937600b2c925b3093070a72531e4e5abf2d4dafb00bcbab8c2fd5f97aae590dd87645befc27701d346
- SSDEEP
  
  49152:ay6imwGhfj4GBT2z95Zw/L+gwnzFnwyuPTh:azimw4f8iSuD+g
Score

10^/10

modiloader trojan remcos remotehost persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcosremotehostpersistencerattrojan