modiloader | ae39d4665f3d31c1fe4f380c446519d4bb25314267c9c2a61605d2313a76d5b7

General

Target

FACT09865456000900[1].exe
Size

865KB
MD5

1b10d3892be9b8ec9321453186a37807
SHA1

30ebf57646c9f614e332cc8d91652ad9f6f9cda2
SHA256

ae39d4665f3d31c1fe4f380c446519d4bb25314267c9c2a61605d2313a76d5b7
SHA512

2528b47115e96c434b02e70c5997d86cd7f31e178a0883627caa0577b32961fc4ef1a4ce32f5af6aeda37ea5bcf5e65749d6c0f532955133e1a3bc823093a7c4
SSDEEP

24576:118acXroMvoMpaUkd72Ez0QjZe6y/+0y:1Sx2572Q7jI68

Score

10^/10

modiloader remcos remotehost collection persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TLPQMO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/832-2-0x00000000029E0000-0x00000000039E0000-memory.dmp	modiloader_stage2

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1124-34-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1124-38-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3940-33-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3940-44-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1124-34-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3940-33-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3244-37-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1124-38-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3244-42-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3940-44-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

SndVol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	SndVol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FACT09865456000900[1].exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gpzfmkfb = "C:\\Users\\Public\\Gpzfmkfb.url"	FACT09865456000900[1].exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SndVol.exe

description	pid	process	target process
PID 1296 set thread context of 3940	1296	SndVol.exe	SndVol.exe
PID 1296 set thread context of 1124	1296	SndVol.exe	SndVol.exe
PID 1296 set thread context of 3244	1296	SndVol.exe	SndVol.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1664 1296 WerFault.exe SndVol.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	pid_target	process	target process
1664	1296	WerFault.exe	SndVol.exe

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

FACT09865456000900[1].exeSndVol.exeSndVol.exe

pid	process
832	FACT09865456000900[1].exe
832	FACT09865456000900[1].exe
3940	SndVol.exe
3940	SndVol.exe
3244	SndVol.exe
3244	SndVol.exe
3940	SndVol.exe
3940	SndVol.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

SndVol.exe

pid process

1296 SndVol.exe
1296 SndVol.exe
1296 SndVol.exe
1296 SndVol.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SndVol.exe

description pid process

Token: SeDebugPrivilege 3244 SndVol.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SndVol.exe

pid process

1296 SndVol.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SndVol.exe

pid process

1296 SndVol.exe
1296 SndVol.exe

pid	process
1296	SndVol.exe
1296	SndVol.exe
1296	SndVol.exe
1296	SndVol.exe

description	pid	process
Token: SeDebugPrivilege	3244	SndVol.exe

pid	process
1296	SndVol.exe

pid	process
1296	SndVol.exe
1296	SndVol.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

FACT09865456000900[1].exeSndVol.exe

description	pid	process	target process
PID 832 wrote to memory of 3156	832	FACT09865456000900[1].exe	extrac32.exe
PID 832 wrote to memory of 3156	832	FACT09865456000900[1].exe	extrac32.exe
PID 832 wrote to memory of 3156	832	FACT09865456000900[1].exe	extrac32.exe
PID 832 wrote to memory of 1296	832	FACT09865456000900[1].exe	SndVol.exe
PID 832 wrote to memory of 1296	832	FACT09865456000900[1].exe	SndVol.exe
PID 832 wrote to memory of 1296	832	FACT09865456000900[1].exe	SndVol.exe
PID 832 wrote to memory of 1296	832	FACT09865456000900[1].exe	SndVol.exe
PID 1296 wrote to memory of 2836	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 2836	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 2836	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 3940	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 3940	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 3940	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 3940	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 1124	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 1124	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 1124	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 1124	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 3244	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 3244	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 3244	1296	SndVol.exe	SndVol.exe
PID 1296 wrote to memory of 3244	1296	SndVol.exe	SndVol.exe

C:\Users\Admin\AppData\Local\Temp\FACT09865456000900[1].exe
"C:\Users\Admin\AppData\Local\Temp\FACT09865456000900[1].exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\FACT09865456000900[1].exe C:\\Users\\Public\\Libraries\\Gpzfmkfb.PIF
2⤵
PID:3156

C:\Windows\SysWOW64\SndVol.exe
C:\Windows\System32\SndVol.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\SndVol.exe
C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\azxydzmmqaepqjjehgcgupxb"
3⤵
PID:2836

C:\Windows\SysWOW64\SndVol.exe
C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\azxydzmmqaepqjjehgcgupxb"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940

C:\Windows\SysWOW64\SndVol.exe
C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\cbcjejwgmiwusxfiyrxzfcssxvuo"
3⤵
- Accesses Microsoft Outlook accounts
PID:1124

C:\Windows\SysWOW64\SndVol.exe
C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\nvqbfchiaqohddtmibkbqhebgbmxzyf"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1772
3⤵
- Program crash
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1296 -ip 1296
1⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\azxydzmmqaepqjjehgcgupxb
Filesize
4KB

MD5
fc8ceff5210efa58594c67ed8f49a824

SHA1
dba98c98becbdf81f623cdca6cd0a993022fe6cd

SHA256
778b7d5b90428961459c82e9881fe0fece78424d6301eb0720a96f100511f599

SHA512
c3b24fe5f5ba39174528ffc05544da6f22ac6aef2cac923ad139c0d044989873e004f9f5018cc0cc6847b5878f5aee96d6de823c860ac54a0fc67ff8d2d89cd1

Download Submit
memory/832-1-0x00000000029E0000-0x00000000039E0000-memory.dmp

Filesize
16.0MB

Download
memory/832-2-0x00000000029E0000-0x00000000039E0000-memory.dmp

Filesize
16.0MB

Download
memory/832-4-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/832-0-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1124-26-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1124-38-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1124-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1124-31-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1296-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-55-0x0000000002BF0000-0x0000000003BF0000-memory.dmp

Filesize
16.0MB

Download
memory/1296-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-56-0x0000000016570000-0x0000000016589000-memory.dmp

Filesize
100KB

Download
memory/1296-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-49-0x0000000016570000-0x0000000016589000-memory.dmp

Filesize
100KB

Download
memory/1296-46-0x0000000016570000-0x0000000016589000-memory.dmp

Filesize
100KB

Download
memory/1296-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1296-9-0x0000000002BF0000-0x0000000003BF0000-memory.dmp

Filesize
16.0MB

Download
memory/3244-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3244-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3244-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3244-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3940-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3940-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3940-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3940-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads