Overview

overview

10

Static

static

3

Ref-OTR-02...30.exe

windows7-x64

10

Ref-OTR-02...30.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ref-OTR-02811853280324992230.Tar

  • Size

    1.2MB

  • Sample

    240419-z1y4rsff97

  • MD5

    6f4d48e8eb489eb5b7343015dc00dd3a

  • SHA1

    0be25a82493ab11ad8dd83318f74d363b0fb27f7

  • SHA256

    62f600400e1d03e8e9abe44fc8fd40100fc9bbd4eeb55ac03de7f6d1ed2d9771

  • SHA512

    95d5bd9ca4cb1d174232cee2c7621ab638fb45dabc8503055da1edb31ffeb3402dc4f364912eeff7baaa2c61ed63478265c8f1fc8b5d557cfce73ede0e183b2e

  • SSDEEP

    12288:62M1Hhkc6bYfsiBq8rI7gti8POOS5a9FWGk4vozUNMHPn0ezCgueiDrqOsykr2Cy:6B16cEiw8k7gtI/pLzhv0DUr2Ch9ztpC

Score
10/10
modiloaderremcosremotehostpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

104.254.90.251:20990

141.98.101.133:20990

199.249.230.27:20990

213.152.161.30:20990

128.127.104.80:20990
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    log.dat

  • keylog_flag

    false

  • keylog_folder

    Services

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    -EK73GW

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    image

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    Gemini;banking;online;secure;digital;crypto;card;bitcoin;coin;bank;checkout;pay;personal;mastercard;visa;wallet;paypal;admin;blockchain;coinbase;transaction;confidential;recover;recovery;phrase;key;bit;ethereum;WhatsApp;transfer;sign;wire;login;credit card;paypal;account information;bank;deposit;creditcard;debitcard;wire,wiretransfer;statementofaccount;purchaseorder;phonenumber;payment;wallet;cheque;

Targets

    • Target

      Ref-OTR-02811853280324992230.CMD

    • Size

      1.2MB

    • MD5

      42ed296028e6834ed96586dfc820da02

    • SHA1

      1794d672ee43a8180a09c3a0549d770aa2442cf4

    • SHA256

      2a24851c378f0a1a2a2b2c38d47872ce54763c1d692010ad8fad4ad1c5b1a42e

    • SHA512

      ab810148ae2c9710689273c58edcf8bf9b05a530b7441c328a2dc08abc4f403790c5e3b4afc8c0ad963d24ccc9d443fd4485b0dfc7da7da42b28d1ef6f6c5f05

    • SSDEEP

      12288:W2M1Hhkc6bYfsiBq8rI7gti8POOS5a9FWGk4vozUNMHPn0ezCgueiDrqOsykr2Cw:WB16cEiw8k7gtI/pLzhv0DUr2Ch9ztp

    Score
    10/10
    modiloadertrojanremcosremotehostpersistencerat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks