modiloader | fe0cbe46b1c846b98e6e7bc36fc46aac22d50e82aa1aecfebca6769be007a575

General

Target

fe0cbe46b1c846b98e6e7bc36fc46aac22d50e82aa1aecfebca6769be007a575
Size

928KB
Sample

240419-fvsv1saf9w
MD5

423e184767e7aa6c86106611b2061d6a
SHA1

7faaf51dc57afeff5924f04231f0bcf2f859aa54
SHA256

fe0cbe46b1c846b98e6e7bc36fc46aac22d50e82aa1aecfebca6769be007a575
SHA512

e6ccb5238c1ecfcf8e349e1f7cf060594309104701a34686b914a46545ef68002d2b5e3a076b1aba605d5faff3a875e5206f08bc7bd9eb86375a85328d9d19bf
SSDEEP

24576:nvIUBqyyF1eovgDUYlEz0QjZe6y/+0yM:vIUcYlQ7jI68x

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

JONS

C2

172.245.208.13:4445

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-R7QS5C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  fe0cbe46b1c846b98e6e7bc36fc46aac22d50e82aa1aecfebca6769be007a575
- Size
  
  928KB
- MD5
  
  423e184767e7aa6c86106611b2061d6a
- SHA1
  
  7faaf51dc57afeff5924f04231f0bcf2f859aa54
- SHA256
  
  fe0cbe46b1c846b98e6e7bc36fc46aac22d50e82aa1aecfebca6769be007a575
- SHA512
  
  e6ccb5238c1ecfcf8e349e1f7cf060594309104701a34686b914a46545ef68002d2b5e3a076b1aba605d5faff3a875e5206f08bc7bd9eb86375a85328d9d19bf
- SSDEEP
  
  24576:nvIUBqyyF1eovgDUYlEz0QjZe6y/+0yM:vIUcYlQ7jI68x
Score

10^/10

modiloader trojan remcos jons collection persistence rat spyware stealer
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- ModiLoader Second Stage
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2