modiloader | a5d2422238cd2d0a94e38de3a0361c1a81b9ff33991b75c5b0f650eb38a04c05

Analysis

max time kernel
147s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 01:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Quotation 20242204.exe
Size

1.6MB
MD5

603c7916d424615645d6ee0fffa00011
SHA1

6f464f23eb81606067f93036dc5cdc61f7bb855b
SHA256

25adcfe6b38aead70b4b0020ecba72d0343b6f3d3bb406100593b7f1349e0300
SHA512

f400834902c5886b680fa8376fee88c77ec352b0a00221e98fbe268d71ac6feb0826fb5c53d71cb66cc457d6b3a64c3c881f059dd75bb9b097d51868ea07cf90
SSDEEP

24576:7MkT4gLKu9KKozJQd/HJNRO/BqM6wIJp4m+3bu8U2flxAv:QkTpT9K1mzyqM6wW4mEQ2W

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:47212

officerem.duckdns.org:47212

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I8N3XG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 13 IoCs

resource	yara_rule
behavioral1/memory/2976-93-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-95-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-96-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-97-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-98-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-99-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-100-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-101-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-105-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-106-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-116-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-127-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2976-128-0x00000000162E0000-0x00000000172E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2976-2-0x0000000003530000-0x0000000004530000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2428	easinvoker.exe
2180	easinvoker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rwksdoeb = "C:\\Users\\Public\\Rwksdoeb.url"	Quotation 20242204.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Quotation 20242204.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Quotation 20242204.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2976	Quotation 20242204.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2464	2976	Quotation 20242204.exe	28
PID 2976 wrote to memory of 2464	2976	Quotation 20242204.exe	28
PID 2976 wrote to memory of 2464	2976	Quotation 20242204.exe	28
PID 2976 wrote to memory of 2464	2976	Quotation 20242204.exe	28
PID 2464 wrote to memory of 2532	2464	cmd.exe	30
PID 2464 wrote to memory of 2532	2464	cmd.exe	30
PID 2464 wrote to memory of 2532	2464	cmd.exe	30
PID 2464 wrote to memory of 2532	2464	cmd.exe	30
PID 2464 wrote to memory of 2576	2464	cmd.exe	31
PID 2464 wrote to memory of 2576	2464	cmd.exe	31
PID 2464 wrote to memory of 2576	2464	cmd.exe	31
PID 2464 wrote to memory of 2576	2464	cmd.exe	31
PID 2464 wrote to memory of 2948	2464	cmd.exe	32
PID 2464 wrote to memory of 2948	2464	cmd.exe	32
PID 2464 wrote to memory of 2948	2464	cmd.exe	32
PID 2464 wrote to memory of 2948	2464	cmd.exe	32
PID 2464 wrote to memory of 2968	2464	cmd.exe	33
PID 2464 wrote to memory of 2968	2464	cmd.exe	33
PID 2464 wrote to memory of 2968	2464	cmd.exe	33
PID 2464 wrote to memory of 2968	2464	cmd.exe	33
PID 2464 wrote to memory of 2004	2464	cmd.exe	34
PID 2464 wrote to memory of 2004	2464	cmd.exe	34
PID 2464 wrote to memory of 2004	2464	cmd.exe	34
PID 2464 wrote to memory of 2004	2464	cmd.exe	34
PID 2464 wrote to memory of 1996	2464	cmd.exe	35
PID 2464 wrote to memory of 1996	2464	cmd.exe	35
PID 2464 wrote to memory of 1996	2464	cmd.exe	35
PID 2464 wrote to memory of 1996	2464	cmd.exe	35
PID 2976 wrote to memory of 1932	2976	Quotation 20242204.exe	38
PID 2976 wrote to memory of 1932	2976	Quotation 20242204.exe	38
PID 2976 wrote to memory of 1932	2976	Quotation 20242204.exe	38
PID 2976 wrote to memory of 1932	2976	Quotation 20242204.exe	38

C:\Users\Admin\AppData\Local\Temp\Quotation 20242204.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation 20242204.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Public\Libraries\RwksdoebO.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:1996
- - C:\Windows \System32\easinvoker.exe
    "C:\Windows \System32\easinvoker.exe"
    3⤵
    - Executes dropped EXE
    PID:2428
- - C:\Windows \System32\easinvoker.exe
    "C:\Windows \System32\easinvoker.exe"
    3⤵
    - Executes dropped EXE
    PID:2180
- C:\Windows\SysWOW64\extrac32.exe
  C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Quotation 20242204.exe C:\\Users\\Public\\Libraries\\Rwksdoeb.PIF
  2⤵
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
6445a787f8a60f64401a47ba23c610d3

SHA1
88066d762bccc398dc008262aa66b11b9183a27b

SHA256
2fc5b6baa7a08dcc0663ef45b2d50f1d59a2041f0f50f86e23c79475066bd212

SHA512
09b1eac598406ead705203a66389ba8c7fb12562f27a2e6a7484156f789e7ec5ff4a309bcf0395f865618c74475fd63cdf3bcd9c66c1489ea1e6d650c038384f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CF8.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Public\Libraries\RwksdoebO.bat

Filesize
29KB

MD5
828ffbf60677999579dafe4bf3919c63

SHA1
a0d159a1b9a49e9eaccc53fe0c3266c0526a1bdc

SHA256
abac4a967800f5da708572ec42441ec373cd52459a83a8a382d6b8579482789d

SHA512
bf00909e24c5a6fb2346e8457a9adacd5f1b35988d90abbde9ff26896bbb59edafea60d9db4d10182a7b5e129bb69585d3e20bc5c63af3517b3a7ef1e45ffb7e

Download Submit
C:\Users\Public\Libraries\aaa.bat

Filesize
3KB

MD5
71e46efe9932b83b397b44052513fb49

SHA1
741af3b8c31095a0cc2c39c41e62279684913205

SHA256
11c20fabf677cd77e8a354b520f6ffca09cac37ce15c9932550e749e49efe08a

SHA512
76da3b441c0eaaaabdd4d21b0a3d4aa7fd49d73a5f0dab2cfb39f2e114efe4f4dabe2d46b01b66d810d6e0efa97676599ece5c213c1a69a5f2f4897a9b4ac8da

Download Submit
C:\Users\Public\Libraries\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\netutils.dll

Filesize
114KB

MD5
566b326055c3ed8e2028aa1e2c1054d0

SHA1
c25fa6d6369c083526cafcf45b5f554635afe218

SHA256
a692d4305b95e57e2cfc871d53a41a5bfc9e306cb1a86ca1159db4f469598714

SHA512
da4b0b45d47757b69f9abc1817d3cb3c85deb08658e55f07b016fba053efe541a5791b9b2b380c25b440bbae6916c5a2245261553ca3c5025d9d55c943f9823c

Download Submit
memory/2464-83-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2976-95-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-100-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-2-0x0000000003530000-0x0000000004530000-memory.dmp

Filesize
16.0MB

Download
memory/2976-93-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2976-96-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-97-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-98-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-99-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-4-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2976-101-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-105-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-106-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-1-0x0000000003530000-0x0000000004530000-memory.dmp

Filesize
16.0MB

Download
memory/2976-116-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-127-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-128-0x00000000162E0000-0x00000000172E0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads