modiloader | 56885ee5ea8c61dd83cdb3433c0e17f3573002a42b2f113b750db32d67205ba6 | Triage

Sharing

General

Target

56885ee5ea8c61dd83cdb3433c0e17f3573002a42b2f113b750db32d67205ba6
Size

1.2MB
Sample

240415-krhyvsda4x
MD5

3147ba694f2ec3ec854dedd232bb0929
SHA1

ed91a0da43fe608ef74783b7a0f44c52652d2a01
SHA256

56885ee5ea8c61dd83cdb3433c0e17f3573002a42b2f113b750db32d67205ba6
SHA512

1407017c08a8679975d0abd19448160be846b8eba8c9395361c82434f46e7426ded3e053cda7fb8a111828f1cbd4a99d74daff017b9c7677928c045d8471bd3a
SSDEEP

24576:lAPrWz/vNpBRl7Dpk2GpHjdACJ8ixSKR8S:aYtfaHjdhJ8ixSU

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

showlove24.duckdns.org:2500

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2EZOQ2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  56885ee5ea8c61dd83cdb3433c0e17f3573002a42b2f113b750db32d67205ba6
- Size
  
  1.2MB
- MD5
  
  3147ba694f2ec3ec854dedd232bb0929
- SHA1
  
  ed91a0da43fe608ef74783b7a0f44c52652d2a01
- SHA256
  
  56885ee5ea8c61dd83cdb3433c0e17f3573002a42b2f113b750db32d67205ba6
- SHA512
  
  1407017c08a8679975d0abd19448160be846b8eba8c9395361c82434f46e7426ded3e053cda7fb8a111828f1cbd4a99d74daff017b9c7677928c045d8471bd3a
- SSDEEP
  
  24576:lAPrWz/vNpBRl7Dpk2GpHjdACJ8ixSKR8S:aYtfaHjdhJ8ixSU
Score

10^/10

modiloader trojan remcos remotehost persistence rat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloadertrojan

behavioral2

modiloaderremcosremotehostpersistencerattrojan