modiloader | dbb04a5f4105ec04887ef88eac17c72c13560fef708db85ec359ea9385fde186 | Triage

Sharing

General

Target

22082024_1039_21082024_PO310.Tar
Size

1.3MB
Sample

240822-mp6m9avfnr
MD5

c8be8af8145e146d7bc4eaf8cee139ac
SHA1

4587ddcd6f8ce944c293e2f649cf1ab731695874
SHA256

dbb04a5f4105ec04887ef88eac17c72c13560fef708db85ec359ea9385fde186
SHA512

86fd4a964706642cbebb8e82f68f42e4c4b3f015df41fb413efa2531e618699b0955d78ea4deb9d3f379078c8d282dd077eeaf627cacac8cac28fab42545423c
SSDEEP

24576:0CvLY8TUR9GYwHv0/yRS7gGXCHecYt3R4Th3FbY626pg6tFpZ2:0Cv0vwc/hngec44FL26pg63z2

Score

10^/10

modiloader remcos throttle_8967 discovery persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

throttle_8967

C2

154.216.18.217:8967

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4SV4HO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  PO310.cmd
- Size
  
  6.0MB
- MD5
  
  0a991692503b1ce00707984c32918e12
- SHA1
  
  df76107deaaee0782c2a4ccd326847e73fafd5e3
- SHA256
  
  801e63d98bd8bd5371e18cb9c55d7470909ba1c9ad33aedd89f2cc82f5700f64
- SHA512
  
  48aa535b03ebbcdd0bfc9265d5a4675dc472ba0fea0842ffe7a59f54e851f0385216e90578aa4f4f40767c9c9333d41dd5b3a27b875d0826adbf26d60521da5b
- SSDEEP
  
  49152:SKT0ymm9RodOObxwbu0a9dJxICIVp1JsPxPZ1m+:2
Score

10^/10

modiloader remcos throttle_8967 discovery persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderremcosthrottle_8967discoverypersistencerattrojan

behavioral2

modiloaderdiscoverypersistencetrojan