modiloader | cd3fc3c2f568078a39ef90d27ef4d5d05802320453bfd4f26f18660ff737b60d | Triage

Sharing

General

Target

Quotation .tar.gz
Size

479KB
Sample

240416-myek5aad6x
MD5

3bef3aa08aadabe44e59fbd300436816
SHA1

7f08a811df938e086e39b11752602035a198e1a9
SHA256

cd3fc3c2f568078a39ef90d27ef4d5d05802320453bfd4f26f18660ff737b60d
SHA512

3449146dc5919177cc5180f776cc8c0b13f2f4f8cc25e7bf5e0cd6a7654ee362dbaf104bc4fb8802cafc0887060290069e2a21ec02c55e0acaeb169db0108c62
SSDEEP

12288:IR55D2rnCa3Ik1tPkY7nnvdD5rAD2MXr3se2J:UHaYkTkY7nnTkDDXQeu

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:47212

officerem.duckdns.org:47212

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I8N3XG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Quotation 20241604.exe
- Size
  
  1.1MB
- MD5
  
  796760cabed4c643ed34db0d822178bc
- SHA1
  
  56c25e1bb87fc846df47a5c2e600505005ba45c5
- SHA256
  
  adb32d26a19fa865d1cbca27c886d8a497140db449813eee08e26c8a30b0f71d
- SHA512
  
  94fe964e6b539ef90337d14bbb335c076c244c0719fbd1dc7ba611b1456ba3327832f1792f67b971aaaf0530eaa99309e93b53170465cb0c00d67e8557126cf3
- SSDEEP
  
  24576:0JIq+wADGZYx4t/yVrQ9JO85sfip46OV/b7Dnjv:eNAXCSfs8V/b7bjv
Score

10^/10

modiloader remcos remotehost persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderremcosremotehostpersistencerattrojan

behavioral2

modiloaderremcosremotehostpersistencerattrojan