modiloader | b12eacb58fdec15ef47381a179ad8436714dad9fb0ada9149cb0dd16a30335a7 | Triage

Sharing

General

Target

b12eacb58fdec15ef47381a179ad8436714dad9fb0ada9149cb0dd16a30335a7
Size

491KB
Sample

240919-md19dstbmg
MD5

da23e973ef10bb95acff5b0bbaddbc24
SHA1

6be9ea61083341a2e1a3b818ebd833ab2b57789a
SHA256

b12eacb58fdec15ef47381a179ad8436714dad9fb0ada9149cb0dd16a30335a7
SHA512

f6c58ea3dae2092a561a180ec7a6db9a52b60861caa1310527f7af5c07d1c393067f38130a37149258436d32ca55aa71b0d92a3b0be1112fa27bca289bc1dd8b
SSDEEP

12288:J0uOObshb0QuSuHz/2Gm5G4h+hW4ufPViQ2Is7:JN/Al0QLuT/rm5GGubuViZIs

Score

10^/10

modiloader remcos ember luck discovery persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

Ember Luck

C2

ogcmaw.duckdns.org:2404

emberluck.duckdns.org:2500

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-SKG82E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  RFQ Engine & Piston overhaul,Doc.exe
- Size
  
  1.1MB
- MD5
  
  cb29d8a4b611a3b84ccf7c597d2a1c6e
- SHA1
  
  b0b066b3c6efe68a3a591e9d10f665b9d22cdf9f
- SHA256
  
  1ea1b7efa0e1f28a2c64bbe8db6629a1171041624c65f7a6293b8ea4563c4c4e
- SHA512
  
  8ae6434e0fc40e060ba3fa1b6968860043883679710d4a25b9925287c0a7c52cfce121b143d2fc10ce4bb9382d979da7f90900924d42008227a08395b3985173
- SSDEEP
  
  24576:jkcL46wGlmCQ4dviCbWBFREfuFlFnP06vtSRDZZdI39v5SPfWxtPtnwpZz2MXMGq:jQnrCxf2dsjrMSehaaVt
Score

10^/10

modiloader remcos ember luck discovery persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ModiLoader Second Stage
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderremcosember luckdiscoverypersistencerattrojan

behavioral2

modiloaderdiscoverypersistencetrojan