modiloader | c42cbf2a4ad7612109535b71965bd6f8cea193e18d96ea1a830cd2d465fc9294 | Triage

Sharing

General

Target

Quotation 20242204.tar.gz
Size

1.0MB
Sample

240422-pxbtysbd62
MD5

ec3bfbe26172b4d80308567282932b51
SHA1

d79276c975760f5d1c68f0fcac2c4b0841bcc462
SHA256

c42cbf2a4ad7612109535b71965bd6f8cea193e18d96ea1a830cd2d465fc9294
SHA512

95e68244b0fbfc2fc63e8a034fba3e45e5112c2d0775f9074df9677d4948744d74b3929d02c4844f8bf3a5aaad40f361772c71dc2c625df7ae17b8f9a790c135
SSDEEP

24576:NByNDOXJb5FCaFqP8JhM5vz1zkGIOj2uiWwPVKTx2qAEpKOFj:NByNcpIIh6vKGSuiWYwTx5AmF

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:47212

officerem.duckdns.org:47212

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I8N3XG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Quotation 20242204.exe
- Size
  
  1.6MB
- MD5
  
  603c7916d424615645d6ee0fffa00011
- SHA1
  
  6f464f23eb81606067f93036dc5cdc61f7bb855b
- SHA256
  
  25adcfe6b38aead70b4b0020ecba72d0343b6f3d3bb406100593b7f1349e0300
- SHA512
  
  f400834902c5886b680fa8376fee88c77ec352b0a00221e98fbe268d71ac6feb0826fb5c53d71cb66cc457d6b3a64c3c881f059dd75bb9b097d51868ea07cf90
- SSDEEP
  
  24576:7MkT4gLKu9KKozJQd/HJNRO/BqM6wIJp4m+3bu8U2flxAv:QkTpT9K1mzyqM6wW4mEQ2W
Score

10^/10

modiloader remcos remotehost persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderremcosremotehostpersistencerattrojan

behavioral2

modiloaderremcosremotehostpersistencerattrojan