modiloader | 29debf2f71c08a96261b8fafff530307c26043af570fa5f3302da872e7f560b6

General

Target

6046803acf690fbb6e646be03c4a59201fe1a96b8791dd4bf8d2bc4c7eeb7d32.zip
Size

893KB
Sample

240905-teq85svdla
MD5

5d6be502f725e4cea0b8f23781a8f076
SHA1

10cb18c945183e8bda2e98e1db0d77d8d36147da
SHA256

29debf2f71c08a96261b8fafff530307c26043af570fa5f3302da872e7f560b6
SHA512

bb71c29b7f9e9933019b7f1ae622d307c6e6472b64237cded6ea901e97857ff8deb4ac42ac441269c21da20dd498c53febc48e23925f39d3f589121d09697a1f
SSDEEP

24576:2nAH2Yrsu3TC/1h7+/LEkyQ7CTBfFPbHmrvgppF2HQE:2nAJswTG1d+BCTBN8YpP2wE

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.161.133.245:9898

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LN5NIY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Targets

- Target
  
  6046803acf690fbb6e646be03c4a59201fe1a96b8791dd4bf8d2bc4c7eeb7d32.exe
- Size
  
  971KB
- MD5
  
  212068494b9a5e0238568a842da660da
- SHA1
  
  880afab8133a3b62a4e1d87f94bcef846846f024
- SHA256
  
  6046803acf690fbb6e646be03c4a59201fe1a96b8791dd4bf8d2bc4c7eeb7d32
- SHA512
  
  afd63a289f8c1a5ac2b1ade03c6db1f5a6cc6efa8ddc8c33a7559c699d97df09a00cfff87d366065f39a13643efe0e37bf0049a021c4ec51e27b91f30d6dcaf1
- SSDEEP
  
  24576:dBrYKjLhvej6aV9b7w6tt6nWHdCgjuf+lBqA:dZLh+6ac6ttfH3KSq
Score

10^/10

modiloader remcos remotehost credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ModiLoader First Stage
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies RDP port number used by Windows
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Abuse Elevation Control Mechanism: Bypass User Account Control
  UAC Bypass Attempt via SilentCleanup Task.
  defense_evasion privilege_escalation
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1