modiloader | 3d3b84fce2eb18eaf184889627e9c4edb37daaa1fd28da7fffacf1869b3db93a

General

Target

PI and payment confirmed pdf.exe
Size

1.7MB
MD5

3d32d7f783925e54c44b19ad8167ae1f
SHA1

52f65cc9aad1b8add5e9716e0aa75a6acf95c5da
SHA256

3d3b84fce2eb18eaf184889627e9c4edb37daaa1fd28da7fffacf1869b3db93a
SHA512

9d647164b3749918afd7bedc9ac92cbe5a9c6222312f02bf547a426ef0194aeef51e6563a7688c391ee215eefffa742b2abab9011e712ddaf4aacfea9b0026bb
SSDEEP

24576:nwHjAU/NotOHNgMF6iKzAnMWZ9pFH749LgIv0dd87/lpvwHsexpJd3kg4eai:nwx/AiKsd7AZv0bmvwv7jmi

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

newpage44.mywire.org:5010

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
adode.exe
copy_folder
Skype
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3N0E9G
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1556-2-0x0000000002990000-0x0000000003990000-memory.dmp	modiloader_stage2
behavioral2/memory/4588-43-0x0000000002830000-0x0000000003830000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PI and payment confirmed pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	PI and payment confirmed pdf.exe

Deletes itself 1 IoCs

Processes:

adode.exe

pid process

4588 adode.exe
Executes dropped EXE 1 IoCs

Processes:

adode.exe

pid process

4588 adode.exe

pid	process
4588	adode.exe

pid	process
4588	adode.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PI and payment confirmed pdf.exeadode.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bebseibx = "C:\\Users\\Public\\Bebseibx.url"	PI and payment confirmed pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3N0E9G = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Skype\\adode.exe\""	PI and payment confirmed pdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3N0E9G = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Skype\\adode.exe\""	PI and payment confirmed pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3N0E9G = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Skype\\adode.exe\""	adode.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3N0E9G = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Skype\\adode.exe\""	adode.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

PI and payment confirmed pdf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PI and payment confirmed pdf.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	50	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

adode.exe

pid process

4588 adode.exe

pid	process
4588	adode.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

PI and payment confirmed pdf.exe

description	pid	process	target process
PID 1556 wrote to memory of 1016	1556	PI and payment confirmed pdf.exe	extrac32.exe
PID 1556 wrote to memory of 1016	1556	PI and payment confirmed pdf.exe	extrac32.exe
PID 1556 wrote to memory of 1016	1556	PI and payment confirmed pdf.exe	extrac32.exe
PID 1556 wrote to memory of 4588	1556	PI and payment confirmed pdf.exe	adode.exe
PID 1556 wrote to memory of 4588	1556	PI and payment confirmed pdf.exe	adode.exe
PID 1556 wrote to memory of 4588	1556	PI and payment confirmed pdf.exe	adode.exe

C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe C:\\Users\\Public\\Libraries\\Bebseibx.PIF
2⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\Skype\adode.exe
"C:\Users\Admin\AppData\Local\Temp\Skype\adode.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
b1a1b13225ed84231e5fe428057606df

SHA1
18fd53fa39b1e2ac1431d24025491e0e0fee85a8

SHA256
dfa1dc658b7bf9def4f9fed75ef686ddd6cb20249fb3742715b9fcf59905c6ef

SHA512
f75573452ebaaa9776267face2d24cce7538d1faf9958e0686c558f33baa0dbecca40960b77bfacd3ea573ad557638b7c7386262f3710c63aa15a3fc7fc347de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skype\adode.exe
Filesize
1.7MB

MD5
3d32d7f783925e54c44b19ad8167ae1f

SHA1
52f65cc9aad1b8add5e9716e0aa75a6acf95c5da

SHA256
3d3b84fce2eb18eaf184889627e9c4edb37daaa1fd28da7fffacf1869b3db93a

SHA512
9d647164b3749918afd7bedc9ac92cbe5a9c6222312f02bf547a426ef0194aeef51e6563a7688c391ee215eefffa742b2abab9011e712ddaf4aacfea9b0026bb

Download Submit
memory/1556-0-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1556-1-0x0000000002990000-0x0000000003990000-memory.dmp

Filesize
16.0MB

Download
memory/1556-2-0x0000000002990000-0x0000000003990000-memory.dmp

Filesize
16.0MB

Download
memory/1556-4-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/4588-50-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-67-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-46-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-48-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-43-0x0000000002830000-0x0000000003830000-memory.dmp

Filesize
16.0MB

Download
memory/4588-52-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-59-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-60-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-41-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4588-45-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/4588-69-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-77-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-78-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-85-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-86-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-94-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download
memory/4588-95-0x0000000014C60000-0x0000000015C60000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads