General
-
Target
0310757cb4b15b9cff55954b52b51b39fed7ebaa8cc783caca99dc991abdf224.cab
-
Size
1.3MB
-
Sample
240424-bdjtkadd48
-
MD5
d8c41e80b83e05afe5abb7935221010a
-
SHA1
6c5a506750919c9f03308836989a75e1fd995951
-
SHA256
0310757cb4b15b9cff55954b52b51b39fed7ebaa8cc783caca99dc991abdf224
-
SHA512
67957e4e6376c220d639acf3db3e5343ba24b23053e823993dc5dae3bb3317bf64fe6e3ecc7121c9527728871c16de67f53c0cd2696e13e8b0bb2ddf4e0ec036
-
SSDEEP
24576:hW2J16df++jcu6oIWXQkPrHjh3vDZX3pNYvUbbruac+Aj:hdd+jcwIWXQkHVvDZJNa6fNwj
Static task
static1
Behavioral task
behavioral1
Sample
Enquiry 230424.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Enquiry 230424.bat
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:47212
officerem.duckdns.org:47212
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-I8N3XG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
Enquiry 230424.bat
-
Size
4.3MB
-
MD5
a9749727f9641b10363c264695ce4822
-
SHA1
1d3d5576790a9c72ddb03eaacac1bddd25d77477
-
SHA256
49cf050274b9a52bf56ac45d548d91c5a13c6d65c36bf363447ffa3f0143c078
-
SHA512
89ea33718530b8d3e9e4814d50c8e1d8047c2bb022c6ebc62b9479c34b6f34750a52a82b51f889d6f8fad5272bd92f2132899afee7bccdcd610a26ff7f067042
-
SSDEEP
49152:yEi0F7JFavH5JDy0oqMaKcCln2UE+EMKyGY6i6KyGY6i6KyGY6i6KyGY6i6KyGYO:I
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-